1 | \input texinfo @c -*-texinfo-*- |
---|
2 | |
---|
3 | @finalout |
---|
4 | @setfilename kerb-inst-man |
---|
5 | |
---|
6 | @ifinfo |
---|
7 | |
---|
8 | @emph{Cygnus Network Security |
---|
9 | Installation Notes} |
---|
10 | January 1995 |
---|
11 | |
---|
12 | John Gilmore |
---|
13 | Pat McGregor |
---|
14 | Cygnus Support |
---|
15 | |
---|
16 | CNS includes documentation and software developed at the Massachusetts |
---|
17 | Institute of Technology, which includes this copyright information: |
---|
18 | |
---|
19 | Copyright @copyright{} 1989 by the Massachusetts Institute of Technology. |
---|
20 | |
---|
21 | @quotation |
---|
22 | Export of software employing encryption from the United States of |
---|
23 | America is assumed to require a specific license from the United States |
---|
24 | Government. It is the responsibility of any person or organization |
---|
25 | contemplating export to obtain such a license before exporting. |
---|
26 | @end quotation |
---|
27 | |
---|
28 | WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute |
---|
29 | this software and its documentation for any purpose and without fee is |
---|
30 | hereby granted, provided that the above copyright notice appear in all |
---|
31 | copies and that both that copyright notice and this permission notice |
---|
32 | appear in supporting documentation, and that the name of M.I.T. not be |
---|
33 | used in advertising or publicity pertaining to distribution of the |
---|
34 | software without specific, written prior permission. M.I.T. makes no |
---|
35 | representations about the suitability of this software for any purpose. |
---|
36 | It is provided ``as is'' without express or implied warranty. |
---|
37 | |
---|
38 | Copyright @copyright{} 1993, 1994, 1995 Cygnus Support. |
---|
39 | |
---|
40 | Permission is granted to make and distribute verbatim copies of |
---|
41 | this manual provided the copyright notice and this permission notice |
---|
42 | are preserved on all copies. |
---|
43 | |
---|
44 | @ignore |
---|
45 | Permission is granted to process this file through TeX and print the |
---|
46 | results, provided the printed document carries a copying permission |
---|
47 | notice identical to this one except for the removal of this paragraph |
---|
48 | (this paragraph not being relevant to the printed manual). |
---|
49 | @end ignore |
---|
50 | |
---|
51 | Permission is granted to copy and distribute modified versions of this |
---|
52 | manual under the conditions for verbatim copying, provided also that |
---|
53 | the entire resulting derived work is distributed under the terms of a |
---|
54 | permission notice identical to this one. |
---|
55 | |
---|
56 | Permission is granted to copy and distribute translations of this manual |
---|
57 | into another language, under the above conditions for modified versions. |
---|
58 | |
---|
59 | @end ifinfo |
---|
60 | |
---|
61 | @setchapternewpage odd |
---|
62 | @settitle Cygnus Network Security |
---|
63 | @titlepage |
---|
64 | @title Cygnus Network Security |
---|
65 | @subtitle Installation Notes |
---|
66 | @sp 2 |
---|
67 | @subtitle January 1995 |
---|
68 | @vfill |
---|
69 | @author Mark Eichin |
---|
70 | @author Pat McGregor |
---|
71 | @author Cygnus Support |
---|
72 | |
---|
73 | @page |
---|
74 | |
---|
75 | @vskip 0pt plus 1filll |
---|
76 | |
---|
77 | CNS includes documentation and software developed at the Massachusetts |
---|
78 | Institute of Technology, which includes this copyright information: |
---|
79 | |
---|
80 | Copyright @copyright{} 1989 by the Massachusetts Institute of Technology. |
---|
81 | |
---|
82 | @quotation |
---|
83 | Export of software employing encryption from the United States of |
---|
84 | America is assumed to require a specific license from the United States |
---|
85 | Government. It is the responsibility of any person or organization |
---|
86 | contemplating export to obtain such a license before exporting. |
---|
87 | @end quotation |
---|
88 | |
---|
89 | WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute |
---|
90 | this software and its documentation for any purpose and without fee is |
---|
91 | hereby granted, provided that the above copyright notice appear in all |
---|
92 | copies and that both that copyright notice and this permission notice |
---|
93 | appear in supporting documentation, and that the name of M.I.T. not be |
---|
94 | used in advertising or publicity pertaining to distribution of the |
---|
95 | software without specific, written prior permission. M.I.T. makes no |
---|
96 | representations about the suitability of this software for any purpose. |
---|
97 | It is provided ``as is'' without express or implied warranty. |
---|
98 | |
---|
99 | Copyright @copyright{} 1993, 1994, 1995 Cygnus Support. |
---|
100 | |
---|
101 | Permission is granted to make and distribute verbatim copies of |
---|
102 | this manual provided the copyright notice and this permission notice |
---|
103 | are preserved on all copies. |
---|
104 | |
---|
105 | Permission is granted to copy and distribute modified versions of this |
---|
106 | manual under the conditions for verbatim copying, provided also that |
---|
107 | the entire resulting derived work is distributed under the terms of a |
---|
108 | permission notice identical to this one. |
---|
109 | |
---|
110 | Permission is granted to copy and distribute translations of this manual |
---|
111 | into another language, under the above conditions for modified versions. |
---|
112 | @end titlepage |
---|
113 | |
---|
114 | @ifinfo |
---|
115 | @node Top, Installing CNS, (dir), (dir) |
---|
116 | @top Cygnus Network Security |
---|
117 | |
---|
118 | @menu |
---|
119 | * Installing CNS:: Installing CNS at Your Site |
---|
120 | * Choosing a Realm Name:: Choosing a Kerberos Realm Name |
---|
121 | * Installation overview:: CNS Installation Overview |
---|
122 | * Installation on any machine:: Installation on any machine |
---|
123 | * Configuring the KDC:: Configuring the Key Distribution Center |
---|
124 | * Application server configuration:: Configuring an Application Server |
---|
125 | * Adding users:: Adding users to the Kerberos database |
---|
126 | @end menu |
---|
127 | @end ifinfo |
---|
128 | |
---|
129 | @node Installing CNS, Choosing a Realm Name, Top, Top |
---|
130 | @chapter Installing CNS at Your Site |
---|
131 | |
---|
132 | Cygnus Support developed Cygnus Network Security (CNS) to provide strong |
---|
133 | system access security, with minimal impact on users' ease of access. |
---|
134 | Using Kerberos Version 4 encryption and client-server technology, CNS |
---|
135 | assures that user identities can be checked securely without |
---|
136 | transmitting passwords in clear over the Net. CNS is useful in closing |
---|
137 | up several large security holes: eavesdroppers recording login names and |
---|
138 | passwords as your users log in from remote locations; and active attacks |
---|
139 | based on providing a fake TCP/IP source address (IP address spoofing). |
---|
140 | |
---|
141 | Introducing CNS to an existing site involves more planning and execution |
---|
142 | than installing the average software package. CNS software is required |
---|
143 | on both ends of the remote login connections, and remote users must |
---|
144 | change their habits. |
---|
145 | |
---|
146 | To install CNS and make it useful, you have to: |
---|
147 | |
---|
148 | @itemize @bullet |
---|
149 | @item |
---|
150 | Install and configure the CNS software on the machines at your site. |
---|
151 | @item |
---|
152 | Set up a CNS Key Distribution Center server machine. |
---|
153 | @item |
---|
154 | [Optional] Set up one or more slave servers for reliability. |
---|
155 | @item |
---|
156 | Install and configure CNS client software on the machines from which |
---|
157 | your remote users log in. |
---|
158 | @item |
---|
159 | Add users and their passwords to your CNS server. |
---|
160 | @item |
---|
161 | Inform your users about CNS. |
---|
162 | @item |
---|
163 | [Optional] Turn off ordinary @code{rlogin}, @code{telnet}, and |
---|
164 | @code{rsh} services so that users are @emph{required} to use CNS rather |
---|
165 | than potentially exposing their passwords. |
---|
166 | @end itemize |
---|
167 | |
---|
168 | This manual covers only basic installation and configuration of the CNS |
---|
169 | software. See the @ref{Top,,Administration Tools,kerbman,Cygnus Network |
---|
170 | Security User and Administrator Documentation for CNS Version 1}, manual |
---|
171 | for more detailed information. |
---|
172 | |
---|
173 | @node Choosing a Realm Name, Installation overview, Installing CNS, Top |
---|
174 | @chapter Choosing a Realm Name |
---|
175 | |
---|
176 | You must chose a Kerberos realm name for your site. Although your realm |
---|
177 | name can be any string, there are certain conventions. The @sc{CNS} |
---|
178 | programs follow these conventions by default, so if you follow them as |
---|
179 | well you have to put less information in the @file{krb.conf} and |
---|
180 | @file{krb.realms} configuration files (these configuration files are |
---|
181 | described below). |
---|
182 | |
---|
183 | @itemize @bullet |
---|
184 | @item |
---|
185 | Realm names are always upper case strings. |
---|
186 | @item |
---|
187 | For a host named @samp{xxx.yyy}, the conventional Kerberos realm is |
---|
188 | @samp{XXX.YYY}. |
---|
189 | @item |
---|
190 | For a host named @samp{xxx.yyy.zzz}, the conventional Kerberos realm is |
---|
191 | @samp{YYY.ZZZ}. |
---|
192 | @item |
---|
193 | For a host named @samp{www.xxx.yyy.zzz}, the conventional Kerberos realm |
---|
194 | is @samp{XXX.YYY.ZZZ}, and so forth for additional levels in the host |
---|
195 | name. |
---|
196 | @end itemize |
---|
197 | |
---|
198 | @node Installation overview, Installation on any machine, Choosing a Realm Name, Top |
---|
199 | @chapter CNS Installation Overview |
---|
200 | |
---|
201 | A machine running CNS may act in three roles. A single machine can act |
---|
202 | simultaneously in any combination of these three roles: |
---|
203 | |
---|
204 | @itemize @bullet |
---|
205 | @item |
---|
206 | Kerberos Key Distribution Center server (providing password checking |
---|
207 | service) |
---|
208 | @item |
---|
209 | User Client (providing programs to let users login to Kerberized |
---|
210 | application servers) |
---|
211 | @item |
---|
212 | Application server (providing @code{rlogin}, @code{telnet}, @code{rsh}, |
---|
213 | and @code{rcp} services for client machines) |
---|
214 | @end itemize |
---|
215 | |
---|
216 | To use CNS, you need a main Key Distribution server and, preferably, one |
---|
217 | or more backups. Backups make it possible for your site to function |
---|
218 | even if the main server machine is unavailable. |
---|
219 | |
---|
220 | If possible, you should make @file{kerberos.@var{REALM}} be an alias for |
---|
221 | your main server machine. For example, the main server of the realm |
---|
222 | CYGNUS.COM is known as @file{kerberos.cygnus.com}. When the CNS |
---|
223 | binaries need to contact a Key Distribution Center server for a |
---|
224 | particular realm, they contact the machine named @samp{kerberos} by |
---|
225 | default. The @file{krb.conf} file may be used to override this default, |
---|
226 | as well as to name additional backup servers for a realm. The |
---|
227 | @file{krb.conf} file is described below. |
---|
228 | |
---|
229 | You should normally set up all machines at your site as application |
---|
230 | servers. This permits users to log into them directly using the CNS |
---|
231 | programs. |
---|
232 | |
---|
233 | You should set up all machines from which your users log in, as CNS |
---|
234 | clients. This normally includes all machines at your site. |
---|
235 | |
---|
236 | The following sections of this manual tell how to set up each CNS role. |
---|
237 | |
---|
238 | @node Installation on any machine, Configuring the KDC, Installation overview, Top |
---|
239 | @chapter Installation on any Machine |
---|
240 | |
---|
241 | @menu |
---|
242 | * Background:: Background Information |
---|
243 | * Instructions:: Installation Instructions |
---|
244 | @end menu |
---|
245 | |
---|
246 | @node Background, Instructions, Installation on any machine, Installation on any machine |
---|
247 | @section Background Information |
---|
248 | |
---|
249 | On all platforms, please use the instructions in the following section |
---|
250 | to install the binary software and perform the initial configuration. |
---|
251 | (If you need to compile the software from source code, see the |
---|
252 | @file{README} file in the source code.) |
---|
253 | |
---|
254 | You need to be operating as the @samp{root} user in order to create the |
---|
255 | @file{/usr/kerberos} directory, where the CNS package is being |
---|
256 | installed. You also need to be @samp{root} when running various steps |
---|
257 | of the configuration procedures. |
---|
258 | |
---|
259 | Your system's security is only as good as the security of your |
---|
260 | @samp{root} password. Please take other precautions to protect your |
---|
261 | system security in addition to installing CNS. CNS cannot protect you |
---|
262 | from someone who is able to steal @samp{root} privileges. CNS also does |
---|
263 | not protect you from break-ins caused by bugs in your daemons (e.g., |
---|
264 | @code{fingerd} or @code{sendmail}). On almost all Unix systems, if |
---|
265 | intruders can break in as an ordinary users, they can become root by |
---|
266 | exploiting bugs or imperfect configuration files. |
---|
267 | |
---|
268 | CNS installation is partially automated, but you must do some steps by |
---|
269 | hand. Please read through the installation instructions completely |
---|
270 | before you begin the installation. If you find unfamiliar concepts or |
---|
271 | words, please consult the glossary in @ref{Glossary,,Administration |
---|
272 | Tools,,Cygnus Network Security User and Administrator Documentation for |
---|
273 | CNS Version 1}. |
---|
274 | |
---|
275 | @node Instructions, , Background, Installation on any machine |
---|
276 | @section Installation Instructions |
---|
277 | |
---|
278 | These installation instructions are for the installation of pre-compiled |
---|
279 | binaries. Be sure you run this as @samp{root}. |
---|
280 | |
---|
281 | These directions install CNS under @file{/usr/kerberos}. This version |
---|
282 | of the software is not easily installed in other places. However, if |
---|
283 | you want to install it elsewhere, you can do so by making a symbolic |
---|
284 | link in @file{/usr/kerberos}. We recommend that for machines that act |
---|
285 | as CNS Kerberos Key Distribution Center servers, you place the files on |
---|
286 | a local disk. This prevents failures due to a file server being down or |
---|
287 | unreachable. |
---|
288 | |
---|
289 | The entire CNS Kerberos tree can be safely shared among machines of the |
---|
290 | same architecture. @file{/etc/krb-srvtab} is the only machine-dependent |
---|
291 | file. |
---|
292 | |
---|
293 | @enumerate |
---|
294 | @item If you wish to put the files somewhere other than @file{/usr/kerberos}, |
---|
295 | create a symbolic link as follows: |
---|
296 | @example |
---|
297 | ln -s /where/ever/you/want /usr/kerberos |
---|
298 | @end example |
---|
299 | All the directories in the @file{/where/ever/you/want} path must exist, |
---|
300 | with the possible exception of last one, which is automatically created |
---|
301 | when you unpack the distribution software. |
---|
302 | |
---|
303 | @item If CNS is not currently installed on this machine, it is |
---|
304 | simplest to unpack the tape directly into @file{/usr/kerberos}. Change |
---|
305 | directory to @file{/}. |
---|
306 | |
---|
307 | @item If CNS is already installed on this machine, it is best to |
---|
308 | unpack the tape in a directory other than @file{/usr/kerberos}. The |
---|
309 | installation procedure copies the binaries into place safely, without |
---|
310 | disturbing any running programs. Change directory to a directory with |
---|
311 | enough room to hold the CNS binaries. They unpack into the subdirectory |
---|
312 | @file{usr/kerberos}. |
---|
313 | |
---|
314 | @item If you are using a FTP'ed distribution, unpack the binaries using |
---|
315 | the command @code{uncompress < @var{machine-type}.tar.Z | tar xvf -}. |
---|
316 | The source code is available as a separate tar file, which may be |
---|
317 | unpacked using the corresponding command @code{uncompress < src.tar.Z | |
---|
318 | tar xvf -}. |
---|
319 | |
---|
320 | @item If your distribution is on tape, unpack the tape using the |
---|
321 | @code{tar xv} command. You may have to use @code{tar xvf @var{TAPE}}, |
---|
322 | where @var{TAPE} is the name of the tape drive you are using. |
---|
323 | |
---|
324 | The source code is stored as a second file on the same tape. To unpack |
---|
325 | the source code, you must skip the first file on the tape, and then |
---|
326 | unpack the sources using @code{tar xvf} just as you unpacked the |
---|
327 | binaries. To skip the first file on the tape, on most systems use |
---|
328 | @code{mt -f @var{TAPE} fsf}. On systems such as HP/UX or Irix 4, you |
---|
329 | must use @code{mt -t @var{TAPE} fsf} (i.e., use the option @samp{-t} |
---|
330 | rather than @samp{-f}). On SCO or SVR4 systems, use the command |
---|
331 | @samp{tape fsf @var{TAPE}}. Check the man pages for @samp{mt} or |
---|
332 | @samp{tape} on your system. |
---|
333 | |
---|
334 | @item Run @code{usr/kerberos/install/configure}. |
---|
335 | @itemize @bullet |
---|
336 | @item The configure script prompts: |
---|
337 | @smallexample |
---|
338 | If you've unpacked the tape in @var{DIR}, |
---|
339 | just press @kbd{RETURN}; |
---|
340 | If you've installed it below some other directory, |
---|
341 | enter it now. |
---|
342 | @end smallexample |
---|
343 | |
---|
344 | @noindent |
---|
345 | The configure script tries to determine the directory where you have |
---|
346 | unpacked the tape. If the reported directory is correct, just press |
---|
347 | @kbd{RETURN}. Otherwise, enter the name of the directory where you |
---|
348 | unpacked the tape. If you have not unpacked the tape under @file{/}, |
---|
349 | the script automatically copies the new binaries into |
---|
350 | @file{/usr/kerberos} without overwriting the existing binaries. |
---|
351 | |
---|
352 | @item The CNS configuration script automatically fixes the |
---|
353 | permissions on the CNS binaries, and it automatically checks that |
---|
354 | appropriate entries have been added to the @file{/etc/services} file. |
---|
355 | If any errors occur doing these steps, the script exits with an error |
---|
356 | message. |
---|
357 | |
---|
358 | @item If the file @file{/usr/kerberos/lib/krb.conf} exists, the |
---|
359 | configuration script assumes that CNS was already installed. It prints |
---|
360 | @smallexample |
---|
361 | Existing configuration for realm REALM preserved. |
---|
362 | To reconfigure it, delete /usr/kerberos/lib/krb.conf |
---|
363 | and re-run configure. |
---|
364 | @end smallexample |
---|
365 | |
---|
366 | @item If the file @file{/usr/kerberos/lib/krb.conf} does not exist, CNS |
---|
367 | prompts: |
---|
368 | @smallexample |
---|
369 | Enter name of local realm (for example, CYGNUS.COM): |
---|
370 | @end smallexample |
---|
371 | |
---|
372 | @noindent |
---|
373 | Enter the name you wish to use for your realm, all in uppercase. For |
---|
374 | one-host sites, the realm name is the normally the same as the host name |
---|
375 | (in capital letters). At larger sites, the realm name is usually the |
---|
376 | capitalized name of the main Internet domain (e.g. CYGNUS.COM or |
---|
377 | EFF.ORG). At large sites, there may be several realms (e.g. ENG.SUN.COM |
---|
378 | and MKTG.SUN.COM). |
---|
379 | @end itemize |
---|
380 | |
---|
381 | @item If you are updating an existing CNS installation on this machine, |
---|
382 | you are almost finished. You should test the new client programs, such as |
---|
383 | @code{kinit} and @code{rlogin}, to make sure they continue to work as |
---|
384 | expected. If this is machine is a Key Distribution Center, you should |
---|
385 | reboot it to start running the updated CNS server software. If this |
---|
386 | machine is an application server, you should skip to |
---|
387 | @ref{Application server configuration, Configuring an Application Server, |
---|
388 | Configuring an Application Server}, to consider turning off non-CNS |
---|
389 | access and to turn on the new @code{ftp} and @code{telnet} daemons. |
---|
390 | |
---|
391 | If this is a new CNS installation, you should continue following the |
---|
392 | installation instructions. |
---|
393 | |
---|
394 | @item If your realm name is different from your full Internet |
---|
395 | hostname with the first component stripped off, you must tell CNS how to |
---|
396 | map your hostname to your realm name. For example, if your hostname is |
---|
397 | @file{bogon.company.org}, CNS programs assume that your realm is |
---|
398 | @code{COMPANY.ORG} by default. If you pick any other realm name |
---|
399 | (perhaps @code{MKTG.COMPANY.ORG}), you have to edit the file |
---|
400 | @file{/usr/kerberos/lib/krb.realms}. Add two lines to the file to |
---|
401 | specify your domain name suffix, a space, and your realm name. One line |
---|
402 | should start with an initial dot, the other should not have it. |
---|
403 | Example: |
---|
404 | @example |
---|
405 | company.org MKTG.COMPANY.ORG |
---|
406 | .company.org MKTG.COMPANY.ORG |
---|
407 | @end example |
---|
408 | |
---|
409 | If you add your domain name to @file{krb.realms}, make sure that all |
---|
410 | your local and remote machines running CNS have the same entries in |
---|
411 | their local @file{krb.realms} files. |
---|
412 | |
---|
413 | @item When a CNS client program retrieves a ticket for a realm, it |
---|
414 | needs to know the hostname of the Key Distribution Center for that |
---|
415 | realm. The default server host name is @file{kerberos.@var{REALM}}. |
---|
416 | For example, the server for the realm @file{CYGNUS.COM} is |
---|
417 | @file{kerberos.cygnus.com}. If your users access realms which do not |
---|
418 | follow this convention, or if you want to specify more than one Key |
---|
419 | Distribution Center for a given realm, you must modify the file |
---|
420 | @file{/usr/kerberos/lib/krb.conf}. If you make changes to |
---|
421 | @file{krb.conf}, you must make sure that the versions on all user |
---|
422 | clients correspond. |
---|
423 | |
---|
424 | For each CNS Key Distribution Center or backup center, add a line to the file |
---|
425 | @file{/usr/kerberos/lib/krb.conf} that contains the realm name, followed |
---|
426 | by a space or tab, and the hostname of one of the Key Distribution |
---|
427 | Centers for that realm. If the realm has multiple key distribution |
---|
428 | centers, use multiple lines. On the line that refers to the master |
---|
429 | server (which also runs the @code{kadmind} daemon), add the words |
---|
430 | ``admin server'' to the end of the line. Example: |
---|
431 | @example |
---|
432 | MKTG.CORP.ORG kerberos.corp.org admin server |
---|
433 | MKTG.CORP.ORG backupserver.corp.org |
---|
434 | PODUNK.UNIVERSITY.EDU kerberos.podunk.edu admin server |
---|
435 | NEAR.NET kerberos.near.net |
---|
436 | @end example |
---|
437 | |
---|
438 | @noindent |
---|
439 | In this example, the last line is not actually necessary, because |
---|
440 | @file{kerberos.near.net} is the default server for realm |
---|
441 | @file{NEAR.NET}. |
---|
442 | |
---|
443 | The first line of the @file{krb.conf} file is special: it specifies the |
---|
444 | name of the default realm on this machine. Do not change it. |
---|
445 | |
---|
446 | @item @emph{If this is the first time you have installed CNS on your systems, |
---|
447 | go on to @ref{Configuring the KDC, Configuring the Key Distribution |
---|
448 | Center, Configuring the Key Distribution Center}. If this is not the |
---|
449 | first time you have installed CNS, go to the next step.} |
---|
450 | |
---|
451 | @item If this is a client-only installation, test the installation |
---|
452 | by running @code{/usr/kerberos/bin/kinit}. It should prompt you for a |
---|
453 | ``Kerberos name,'' by which it means your CNS Kerberos user name. Enter |
---|
454 | your user name in the default realm. You should get a @code{Password:} |
---|
455 | prompt. If you do not, your client programs cannot find a key |
---|
456 | distribution center for that realm; recheck your @file{krb.conf} file. |
---|
457 | If you are not running Domain Name Service, also check your @file{/etc/hosts} |
---|
458 | file. If you do get the @code{Password:} prompt, enter your password in |
---|
459 | this realm. @code{Kinit} should exit without any error messages, and |
---|
460 | @code{klist} should show a single ticket whose Principal is |
---|
461 | ``krbtgt.REALM@@REALM.'' You can now test the application programs from |
---|
462 | @file{/usr/kerberos/bin} (such as @code{rlogin}), or you can just type |
---|
463 | @code{kdestroy} to destroy that ticket. |
---|
464 | |
---|
465 | If your users access multiple realms, test each realm in turn, by typing |
---|
466 | @code{kinit -r} and @kbd{RETURN}, entering the user name as above, and |
---|
467 | then entering the realm name at the @file{Kerberos realm:} prompt. |
---|
468 | |
---|
469 | @end enumerate |
---|
470 | |
---|
471 | If you are only installing CNS client services, your installation is |
---|
472 | complete. Congratulations. You and your users should add |
---|
473 | @code{/usr/kerberos/bin} to the path used to find programs. |
---|
474 | |
---|
475 | @node Configuring the KDC, Application server configuration, Installation on any machine, Top |
---|
476 | @chapter Configuring the Key Distribution Center |
---|
477 | |
---|
478 | This section describes how to configure the Key Distribution Center |
---|
479 | (KDC) server machine. You must have at least one KDC in your realm. |
---|
480 | You may also set up backup servers; see @ref{Top,,Administration |
---|
481 | Tools,kerbman,Cygnus Network Security User and Administrator |
---|
482 | Documentation for CNS Version 1}. |
---|
483 | |
---|
484 | @enumerate |
---|
485 | |
---|
486 | @item Log on to the server machine as @samp{root}. |
---|
487 | |
---|
488 | @item Add @file{/usr/kerberos/bin} and @file{/usr/kerberos/etc} to the |
---|
489 | working path. |
---|
490 | |
---|
491 | @item Run @code{kdb_init} to create the initial CNS Kerberos |
---|
492 | password database. Enter the realm name, and make up a good master |
---|
493 | password. For effective system security, it is important to choose a |
---|
494 | password that cannot easily be guessed or discovered. This password is |
---|
495 | used to encrypt the database on disk, so that it can be safely included |
---|
496 | in normal backup procedures; it is not used for any network operation. |
---|
497 | You @emph{must not forget} this password. Example: |
---|
498 | @smallexample |
---|
499 | sample# kdb_init |
---|
500 | Realm name [default error-default-realm ]: @file{COMPANY.ORG} |
---|
501 | You will be prompted for the database Master Password. |
---|
502 | It is important that you NOT FORGET this password. |
---|
503 | |
---|
504 | Kerberos master key: @emph{password does not echo} |
---|
505 | Verifying, please re-enter Kerberos master key: @emph{reenter password} |
---|
506 | |
---|
507 | @end smallexample |
---|
508 | |
---|
509 | @item Store the master password in @file{/.k} for convenience or unattended |
---|
510 | operation. (If you do not do this, you must type the master password |
---|
511 | each time the system reboots.) Run @code{kstash}, giving it the master |
---|
512 | password: |
---|
513 | @smallexample |
---|
514 | sample# kstash |
---|
515 | |
---|
516 | Kerberos master key: @emph{password does not echo} |
---|
517 | |
---|
518 | Current Kerberos master key version is 1. |
---|
519 | |
---|
520 | Master key entered. |
---|
521 | @end smallexample |
---|
522 | |
---|
523 | @item Set up the database entries for the first user---yourself. |
---|
524 | Run @code{kdb_edit}, and enter the master key when prompted. When it |
---|
525 | asks for @code{Principal name:}, enter your user name. At |
---|
526 | @code{Instance:}, just press @kbd{RETURN}. @code{kdb_edit} tells you |
---|
527 | that this entry is not found, and ask whether to create it. Type |
---|
528 | @kbd{y}. |
---|
529 | |
---|
530 | When prompted for the initial password for the user (yourself), enter a |
---|
531 | short, easy to remember password. This will be changed in a few |
---|
532 | minutes, so keep it simple. You are prompted to enter it twice. Press |
---|
533 | @kbd{RETURN} for all the other questions. |
---|
534 | |
---|
535 | When @code{kdb_edit} prompts again for @code{Principal name:}, enter |
---|
536 | your user name again, but for @code{Instance:}, type @code{admin}. This |
---|
537 | creates an admin instance that you can later use to add new users and |
---|
538 | change user passwords. |
---|
539 | |
---|
540 | To exit @code{kdb_edit}, just press @kbd{RETURN} at the @code{Principal |
---|
541 | name:} prompt. |
---|
542 | |
---|
543 | Example: |
---|
544 | |
---|
545 | @smallexample |
---|
546 | sample# kdb_edit |
---|
547 | Opening database... |
---|
548 | |
---|
549 | Kerberos master key: @emph{password does not echo} |
---|
550 | |
---|
551 | Current Kerberos master key version is 1. |
---|
552 | |
---|
553 | Master key entered. Previous or default values are |
---|
554 | in [brackets] |
---|
555 | enter @kbd{RETURN} to leave the same, or new value. |
---|
556 | |
---|
557 | Principal name: jis |
---|
558 | Instance: |
---|
559 | |
---|
560 | <Not found>, Create [y] ? y |
---|
561 | |
---|
562 | Principal: jis, Instance: , kdc_key_ver: 1 |
---|
563 | New Password: @emph{user's password will not echo} |
---|
564 | Verifying, please re-enter |
---|
565 | New Password: @emph{user's password will not echo} |
---|
566 | |
---|
567 | Principal's new key version = 1 |
---|
568 | Expiration date (enter yyyy-mm-dd) [ 1999-12-31 ] ? |
---|
569 | Max ticket lifetime (*5 minutes) [ 255 ] ? |
---|
570 | Attributes [ 0 ] ? |
---|
571 | Edit O.K. |
---|
572 | Principal name: jis |
---|
573 | Instance: admin |
---|
574 | |
---|
575 | <Not found>, Create [y] ? y |
---|
576 | |
---|
577 | Principal: jis, Instance: admin, kdc_key_ver: 1 |
---|
578 | New Password: @emph{user's admin password will not echo} |
---|
579 | Verifying, please re-enter |
---|
580 | New Password: @emph{user's admin password will not echo} |
---|
581 | |
---|
582 | Principal's new key version = 1 |
---|
583 | Expiration date (enter yyyy-mm-dd) [ 1999-12-31 ] ? |
---|
584 | Max ticket lifetime (*5 minutes) [ 255 ] ? |
---|
585 | Attributes [ 0 ] ? |
---|
586 | Edit O.K. |
---|
587 | Principal name: @emph{press @kbd{RETURN} to exit} |
---|
588 | |
---|
589 | @end smallexample |
---|
590 | |
---|
591 | @item Run @code{kerberos &} to start the Key Distribution Center |
---|
592 | server (the @code{&} runs the server in the background). You should |
---|
593 | see: |
---|
594 | @smallexample |
---|
595 | sample# kerberos & |
---|
596 | [1] 22630 |
---|
597 | sample# Kerberos server starting |
---|
598 | Sleep forever on error |
---|
599 | Log file is /usr/kerberos/database/kerberos.log |
---|
600 | Current Kerberos master key version is 1. |
---|
601 | |
---|
602 | Master key entered. |
---|
603 | |
---|
604 | Current Kerberos master key version is 1 |
---|
605 | Local realm: COMPANY.ORG |
---|
606 | @end smallexample |
---|
607 | |
---|
608 | @item Test the Key Distribution Center server. Run @code{kinit} |
---|
609 | with your username as argument (e.g., @code{kinit jis}). If you get a |
---|
610 | password prompt, the network is okay, and everything is configured |
---|
611 | properly for this host to find the server. Type your password (this is |
---|
612 | the password you just entered using @code{kdb_edit}). |
---|
613 | |
---|
614 | If you get @samp{send_to_kdc: retry count exceeded}, then @code{kinit} |
---|
615 | could not reach the server for some reason. Make sure that any entry |
---|
616 | for your realm in @file{/usr/kerberos/lib/krb.conf} has the right |
---|
617 | machine name. If there is no entry, make sure that the server machine |
---|
618 | can be reached using the alias @file{kerberos.@var{REALM}}. Try |
---|
619 | contacting the machine using @code{telnet} or @code{ping}. Also, check |
---|
620 | that the @code{Kerberos} process is actually running. |
---|
621 | |
---|
622 | If you get an immediate @samp{kinit: Can't send request (send_to_kdc)} |
---|
623 | the most likely cause is that @code{kinit} can't find or read the |
---|
624 | @file{krb.conf} file, or can't find any entries for the selected realm |
---|
625 | in that file. If there is a delay before the message, it is more likely |
---|
626 | that the file was found but there was some problem communicating with |
---|
627 | the server. |
---|
628 | |
---|
629 | @emph{Special note for Solaris 2 users:} Solaris 2 includes a partial |
---|
630 | installation of kerberos, consisting of @code{kinit} and little |
---|
631 | else. Since the Solaris @code{kinit} is in @file{/usr/bin}, it may |
---|
632 | appear in your path ahead of the @file{/usr/kerberos/bin} version that |
---|
633 | you've just installed, leading to errors similar to those above. While |
---|
634 | the Solaris @code{kinit} will work with CNS Kerberos, it looks in |
---|
635 | @file{/etc/krb.conf} instead of @file{/usr/kerberos/lib/krb.conf} and |
---|
636 | thus won't find the information you'd expect it to. Since users will |
---|
637 | normally have @file{/usr/kerberos/bin} near the front of their path in |
---|
638 | order to get the CNS Kerberos @code{rlogin}, @code{rsh}, @code{telnet}, |
---|
639 | and @code{ftp} instead of the regular (non-Kerberos) versions, they will |
---|
640 | also get the correct version of @code{kinit} but this can be a source of |
---|
641 | difficulty in an initial installation. |
---|
642 | |
---|
643 | @item Authorize yourself to use the @code{kadmin} program to make |
---|
644 | administrative changes to the CNS Kerberos database. Using a text |
---|
645 | editor, create four files in @file{/usr/kerberos/database}: |
---|
646 | @file{admin_acl.add}, @file{admin_acl.get}, @file{admin_acl.mod}, and |
---|
647 | @file{admin_acl.del}. |
---|
648 | These files should all have identical contents. They should each |
---|
649 | contain one line---your username, a period, and @code{admin}. If you |
---|
650 | want to set up multiple administrators, you can add additional lines to |
---|
651 | these files now or later. (You also need to add their username and |
---|
652 | password to the CNS Kerberos database using @code{kadmin}---as shown |
---|
653 | later---or @code{kdb_edit}.) Example: |
---|
654 | @example |
---|
655 | sample# cd /usr/kerberos/database |
---|
656 | sample# cat >admin_acl.add |
---|
657 | jis.admin |
---|
658 | ^D |
---|
659 | sample# cp admin_acl.add admin_acl.get |
---|
660 | sample# cp admin_acl.add admin_acl.mod |
---|
661 | sample# cp admin_acl.add admin_acl.del |
---|
662 | @end example |
---|
663 | |
---|
664 | If sometime later, while running @code{kadmin}, you get the error |
---|
665 | message, ``Insufficient access to perform requested operation,'' it |
---|
666 | indicates you have successfully contacted the Admin Server, but your |
---|
667 | name was not found in the relevant @file{admin_acl} file. Look in |
---|
668 | @file{/usr/kerberos/database/admin_server.syslog} to find the audit |
---|
669 | trail of administrative requests failures marked with @samp{WARNING}. |
---|
670 | |
---|
671 | @item Run @code{kadmind -n &} to start the Admin Server, which handles |
---|
672 | administrative requests and password changes. |
---|
673 | @smallexample |
---|
674 | sample# kadmind -n & |
---|
675 | KADM Server KADM0.0A initializing |
---|
676 | Please do not use 'kill -9' to kill this job, use a |
---|
677 | regular kill instead |
---|
678 | |
---|
679 | KADM Server starting in NON-FASCIST mode for the purposes |
---|
680 | for password changing |
---|
681 | |
---|
682 | Current Kerberos master key version is 1. |
---|
683 | |
---|
684 | Master key entered. |
---|
685 | @end smallexample |
---|
686 | |
---|
687 | @item Test the Admin Server by using @code{kadmin} to change your |
---|
688 | password. You must either first log in as yourself, or use the |
---|
689 | @samp{-u} argument to @code{kadmin} to provide your user ID. |
---|
690 | @smallexample |
---|
691 | sample# kadmin -u jis |
---|
692 | Welcome to the Kerberos Administration Program, version 2 |
---|
693 | Type @kbd{help} if you need it. |
---|
694 | admin: cpw jis |
---|
695 | Admin password: |
---|
696 | @emph{the admin password you assigned yourself above} |
---|
697 | New password for jis: @emph{invent and remember a good one} |
---|
698 | Verifying, please re-enter |
---|
699 | New password for jis: @emph{type the same one} |
---|
700 | Password changed for jis. |
---|
701 | admin: quit |
---|
702 | Cleaning up and exiting. |
---|
703 | sample# |
---|
704 | @end smallexample |
---|
705 | Be sure that you remember your new password. If you forget it, you |
---|
706 | cannot use the system. |
---|
707 | |
---|
708 | @item Run @code{kdestroy} to destroy the tickets used in testing. |
---|
709 | |
---|
710 | @item Update your @file{/etc/rc} file, or equivalent, so that these two |
---|
711 | daemons are run each time the system reboots: |
---|
712 | @example |
---|
713 | /usr/kerberos/etc/kerberos & |
---|
714 | /usr/kerberos/etc/kadmind -n & |
---|
715 | @end example |
---|
716 | |
---|
717 | These should be started early in the boot process---after the file |
---|
718 | systems are mounted, but before the portmapper starts up. The admin |
---|
719 | daemon uses an unofficial port number which the portmapper may acquire |
---|
720 | if portmapper is started first. |
---|
721 | |
---|
722 | If your system initializes using files in a directory like |
---|
723 | @file{/etc/rc2.d}, look for the script which starts @code{portmap}, and |
---|
724 | make sure that the daemons are started earlier. This can be done by |
---|
725 | starting them earlier in the same script, or by creating a new script |
---|
726 | with a lower number. On the other hand, make sure that the daemons are |
---|
727 | not started until the network has been initialized. |
---|
728 | |
---|
729 | @item @emph{Special note for HP/UX startup}: Under HP/UX |
---|
730 | the commands mentioned above should be placed in a seperate file, and |
---|
731 | that file should be run from the @code{localrc()} function in the |
---|
732 | @file{/etc/rc} file. Placing the commands directly in @code{localrc()} |
---|
733 | may cause them to be terminated immediately after @file{/etc/rc} finishes. |
---|
734 | |
---|
735 | @item Reboot your system, examine its messages while it boots, and |
---|
736 | rerun the tests, to make sure that the daemons both start successfully. |
---|
737 | @end enumerate |
---|
738 | |
---|
739 | @node Application server configuration, Adding users, Configuring the KDC, Top |
---|
740 | @chapter Configuring an Application Server |
---|
741 | |
---|
742 | To configure a machine to provide @code{rlogin} and @code{rsh} service, |
---|
743 | you need to create a secret key for that machine in the CNS database and |
---|
744 | on the host itself. |
---|
745 | |
---|
746 | (If you are upgrading from an existing CNS release to this release, you |
---|
747 | have already set up your machine's secret key. Skip down to the step |
---|
748 | ``Test your CNS services'', and do the rest of the procedure.) |
---|
749 | |
---|
750 | The master database contains entries for all network services that |
---|
751 | require CNS Kerberos authentication. If, for example, you want to offer |
---|
752 | @code{rlogin} service from the machine @file{trickster}, you need to |
---|
753 | register @file{trickster} in the master database. |
---|
754 | |
---|
755 | CNS does not recognize full domain names. Therefore, use the first |
---|
756 | component of the DNS hostname (e.g., @file{trickster} for |
---|
757 | @file{trickster.company.org}). |
---|
758 | |
---|
759 | @enumerate |
---|
760 | @c 1 |
---|
761 | @item From as account for which you created an admin instance, |
---|
762 | run @code{kadmin}. At the prompt, type: |
---|
763 | @smallexample |
---|
764 | ank rcmd.@var{hostname} |
---|
765 | @end smallexample |
---|
766 | @noindent |
---|
767 | @code{ank} means ``add new key'' and you are telling it to add a service |
---|
768 | key for the @code{rcmd} service on machine @var{hostname}. |
---|
769 | |
---|
770 | @smallexample |
---|
771 | sample# kadmin |
---|
772 | Welcome to the Kerberos Administration Program, version 2 |
---|
773 | Type @kbd{help} if you need it. |
---|
774 | admin: ank rcmd.trickster |
---|
775 | Admin password: |
---|
776 | @emph{the jis.admin password you created with kdb_edit} |
---|
777 | Password for rcmd.trickster: @emph{some short easy password} |
---|
778 | Verifying, please re-enter |
---|
779 | Password for rcmd.trickster: @emph{Re-enter.} |
---|
780 | rcmd.trickster added to database. |
---|
781 | admin: quit |
---|
782 | |
---|
783 | @end smallexample |
---|
784 | |
---|
785 | @noindent |
---|
786 | Note: You use this same process to add any other new users to the |
---|
787 | database, except that you use their username as the argument to the |
---|
788 | @code{ank} command. Remind your users to change their CNS passwords |
---|
789 | once they have begun to use CNS, so you do not know what their passwords |
---|
790 | are. |
---|
791 | |
---|
792 | @c 2 |
---|
793 | @item On the application server, as root, run @code{ksrvutil add}. This |
---|
794 | creates the srvtab file, @file{/etc/krb-srvtab}. |
---|
795 | |
---|
796 | @smallexample |
---|
797 | # ksrvutil add |
---|
798 | Name: rcmd |
---|
799 | Instance: trickster |
---|
800 | Realm: COMPANY.ORG @emph{remember to use uppercase here!} |
---|
801 | Version number: 1 |
---|
802 | New principal: rcmd.trickster@@COMPANY.ORG; version 1 |
---|
803 | Is this correct? (y,n) [y] y |
---|
804 | Password: @emph{Give the easy password} |
---|
805 | Verifying, please re-enter Password: @emph{do it again} |
---|
806 | Key successfully added. |
---|
807 | Would you like to add another key? (y,n) [y] n |
---|
808 | Old keyfile in /etc/krb-srvtab.old. |
---|
809 | @end smallexample |
---|
810 | |
---|
811 | You must give the same password here that you gave to @code{kadmin} in |
---|
812 | the @code{ank} (add new key) process. |
---|
813 | |
---|
814 | @c 3 |
---|
815 | @item Run @code{ksrvutil change}. This updates the key to a new one, not |
---|
816 | known to you, in both the Kerberos database for your realm, and in the |
---|
817 | @file{/etc/srvtab}. |
---|
818 | |
---|
819 | Use the following list of troubleshooting suggestions if any problems |
---|
820 | arise at this stage: |
---|
821 | |
---|
822 | @itemize @bullet |
---|
823 | @c 3.1 |
---|
824 | @item Clocks not synchronized. The time on client machines, and all other |
---|
825 | machines communicating via CNS, must be within five minutes of each other. |
---|
826 | Synchronize all machine time settings. |
---|
827 | |
---|
828 | @item Incorrect name specification. Be sure that the file |
---|
829 | @file{/usr/kerberos/lib/krb.conf} has the correct realm and key server's |
---|
830 | hostname. |
---|
831 | |
---|
832 | @c 3.2 |
---|
833 | @item Password error. Type @kbd{rm /etc/krb-srvtab} and run |
---|
834 | @code{ksrvutil add} again. |
---|
835 | |
---|
836 | @c 3.3 |
---|
837 | @item Problem with @code{kinit @var{user}}. If @code{kinit @var{user}} does |
---|
838 | not work, debug that first, using the suggestions in the section |
---|
839 | @ref{Configuring the KDC,,Configuring the Key Distribution Center}. |
---|
840 | |
---|
841 | @c 3.4 |
---|
842 | @item Problem with @code{kinit rcmd.@var{hostname}}. If @code{kinit |
---|
843 | rcmd.@var{hostname}} does not work, there could be several explanations. |
---|
844 | |
---|
845 | If @code{kinit} reports @samp{principal unknown}, then go back and run |
---|
846 | @code{kadmin} again and correctly enter the item in the database. |
---|
847 | |
---|
848 | If @code{kinit} reports @samp{incorrect password}, then you have given a |
---|
849 | different password than you did originally. If you remember the correct |
---|
850 | password, delete @file{/etc/krb-srvtab}, then go back and run |
---|
851 | @code{ksrvutil add} again. If you do not remember the password, change |
---|
852 | the one in the database to something you will remember. To change the |
---|
853 | password, run @code{kadmin} again. Use @code{cpw rcmd.@var{hostname}} |
---|
854 | to set the password to something you will remember. Delete |
---|
855 | @file{/etc/krb-srvtab} and run @code{ksrvutil add} again. Run |
---|
856 | @code{ksrvutil change} again too. This time, it tells you that the |
---|
857 | version numbers of the keys do not match, and ask if you want it to fix |
---|
858 | this. Type @kbd{yes}. |
---|
859 | |
---|
860 | @item Problem only with @code{ksrvutil}. If @code{kinit rcmd.@var{hostname}} |
---|
861 | works, but @code{ksrvutil change} fails, in particular with the message |
---|
862 | ``Retry count exceeded (send_to_kdc)'' verify that the realm name is |
---|
863 | both uppercase and spelled correctly in the @file{/etc/krb-srvtab} file |
---|
864 | using @code{ksrvutil list}. If it isn't, follow the above procedure for |
---|
865 | deleting and correcting the file. |
---|
866 | @end itemize |
---|
867 | |
---|
868 | @c 4 |
---|
869 | @item Update @file{/etc/inetd.conf}. Add these lines to the file and reset |
---|
870 | the @code{inetd} daemon. Unless your system documentation recommends |
---|
871 | another procedure, use @code{kill -HUP} to reset the current daemon. |
---|
872 | |
---|
873 | @iftex |
---|
874 | @let@nonarrowing=@comment |
---|
875 | @end iftex |
---|
876 | @smallexample |
---|
877 | klogin stream tcp nowait root /usr/kerberos/etc/klogind klogind |
---|
878 | eklogin stream tcp nowait root /usr/kerberos/etc/klogind eklogind |
---|
879 | kpop stream tcp nowait root /usr/kerberos/etc/popper popper |
---|
880 | kshell stream tcp nowait root /usr/kerberos/etc/kshd kshd |
---|
881 | @end smallexample |
---|
882 | @iftex |
---|
883 | @let@nonarrowing=@relax |
---|
884 | @end iftex |
---|
885 | |
---|
886 | @c 5 |
---|
887 | @item Test your CNS services. |
---|
888 | (Remember to update your path to place @file{/usr/kerberos/bin} before |
---|
889 | @file{/usr/ucb} in your path variable.) |
---|
890 | |
---|
891 | To try @code{rlogin}: on a working client machine (possibly the same |
---|
892 | machine): run @code{kinit}, type your name and password, and then run |
---|
893 | @code{rlogin @var{app-hostname}}, supplying the hostname you just set up |
---|
894 | as an Application Server. If it works, try @code{rlogin @var{hostname} |
---|
895 | -x} to test an encrypted session; you should get a message indicating |
---|
896 | that @samp{DES} is being used to protect all traffic. |
---|
897 | |
---|
898 | @c 6 |
---|
899 | @item If you wish, turn off non-CNS access. You may want to |
---|
900 | restrict access to only those users who login via the CNS programs. The |
---|
901 | Berkeley versions of @samp{rlogin}, @samp{rsh}, and @samp{rcp} rely on |
---|
902 | the return address of the incoming TCP connection for authentication, so |
---|
903 | they can be subverted by the use of IP source-address spoofing. Turning |
---|
904 | them off increases your security against break-ins. To do this, look for |
---|
905 | lines in @file{/etc/inetd.conf} for the services @samp{shell} and |
---|
906 | @samp{login}. Comment them out by putting a @kbd{#} at the start of the |
---|
907 | line. After editing @file{/etc/inetd.conf}, you must reset the |
---|
908 | @code{inetd} daemon as described above. |
---|
909 | |
---|
910 | @c 7 |
---|
911 | @item If you wish, use the CNS @code{FTP} and/or @code{telnet} |
---|
912 | daemons instead of the system supplied daemons. The CNS versions |
---|
913 | support both the traditional password authentication, and Kerberos |
---|
914 | authentication. Look for lines in |
---|
915 | @file{/etc/inetd.conf} for the services @code{telnet} and @code{FTP}. |
---|
916 | Replace them with lines which look like this: |
---|
917 | |
---|
918 | @iftex |
---|
919 | @let@nonarrowing=@comment |
---|
920 | @end iftex |
---|
921 | @smallexample |
---|
922 | ftp stream tcp nowait root /usr/kerberos/etc/ftpd ftpd |
---|
923 | telnet stream tcp nowait root /usr/kerberos/etc/telnetd telnetd |
---|
924 | @end smallexample |
---|
925 | @iftex |
---|
926 | @let@nonarrowing=@relax |
---|
927 | @end iftex |
---|
928 | |
---|
929 | If you wish to restrict @code{FTP} access to people with valid CNS |
---|
930 | authentication (and to anonymous users, if your password file admits |
---|
931 | them), use the @samp{-a} option. This rejects FTP accesses which would |
---|
932 | normally involve typing a password across the network unencrypted: |
---|
933 | |
---|
934 | @iftex |
---|
935 | @let@nonarrowing=@comment |
---|
936 | @end iftex |
---|
937 | @smallexample |
---|
938 | ftp stream tcp nowait root /usr/kerberos/etc/ftpd ftpd -a |
---|
939 | @end smallexample |
---|
940 | @iftex |
---|
941 | @let@nonarrowing=@relax |
---|
942 | @end iftex |
---|
943 | |
---|
944 | If you wish to restrict @code{telnet} access to people with valid CNS |
---|
945 | authentication, use the @samp{-a valid} option. This rejects |
---|
946 | @code{telnet} connections that would normally involve typing a password |
---|
947 | across the network unencrypted: |
---|
948 | |
---|
949 | @iftex |
---|
950 | @let@nonarrowing=@comment |
---|
951 | @end iftex |
---|
952 | @smallexample |
---|
953 | telnet stream tcp nowait root /usr/kerberos/etc/telnetd |
---|
954 | telnetd -a valid |
---|
955 | @end smallexample |
---|
956 | @iftex |
---|
957 | @let@nonarrowing=@relax |
---|
958 | @end iftex |
---|
959 | |
---|
960 | (The example above should be entered all on one line; it has been broken |
---|
961 | into two lines for convenience in reading this manual.) |
---|
962 | |
---|
963 | After editing @file{/etc/inetd.conf}, you must reset the @code{inetd} |
---|
964 | daemon as described above. |
---|
965 | @end enumerate |
---|
966 | |
---|
967 | @node Adding users, , Application server configuration, Top |
---|
968 | @chapter Adding Users to the Kerberos Database |
---|
969 | |
---|
970 | Before users can use CNS, they must be added to the Kerberos database. |
---|
971 | |
---|
972 | Users are added with the @code{kadmin} program. |
---|
973 | |
---|
974 | @enumerate |
---|
975 | |
---|
976 | @item Log in as the user for whom you created an admin instance when |
---|
977 | you configured the Kerberos database (@pxref{Configuring the |
---|
978 | KDC,,Configuring the Key Distribution Center}). |
---|
979 | |
---|
980 | @item Run @code{/usr/kerberos/bin/kadmin}. |
---|
981 | |
---|
982 | @item At the prompt, type @kbd{ank @var{USER}}. When prompted, enter |
---|
983 | your admin password, and then enter a password for the user. |
---|
984 | @smallexample |
---|
985 | % kadmin |
---|
986 | Welcome to the Kerberos Administration Program, version 2 |
---|
987 | Type @kbd{help} if you need it. |
---|
988 | admin: ank @var{USER} |
---|
989 | Admin password: |
---|
990 | @emph{the admin password you created with kdb_edit} |
---|
991 | Password for @var{USER}: @emph{a password} |
---|
992 | Verifying, please re-enter |
---|
993 | Password for @var{USER}: @emph{Re-enter.} |
---|
994 | @var{USER} added to database. |
---|
995 | admin: quit |
---|
996 | % |
---|
997 | @end smallexample |
---|
998 | |
---|
999 | @item The user may now run @code{kinit}, giving the password you entered |
---|
1000 | above. Encourage the user to use @code{kpasswd} to select a personal |
---|
1001 | password which you do not know. If necessary, you can use the |
---|
1002 | @code{cpw} command in @code{kadmin} to change the user's password to a |
---|
1003 | known string. |
---|
1004 | @end enumerate |
---|
1005 | |
---|
1006 | @contents |
---|
1007 | @c second page break makes sure right-left page alignment works right |
---|
1008 | @c with a one-page toc, even though we don't have setchapternewpage odd. |
---|
1009 | @c end of texinfo file |
---|
1010 | @bye |
---|