Drift/Kerberos: Difference between revisions
< Drift
No edit summary |
No edit summary |
||
| Line 99: | Line 99: | ||
</nowiki></pre> | </nowiki></pre> | ||
Konfigurer pam | Konfigurer pam. Oppsettet kan for eksempel se slik ut på en debian-maskin: | ||
/etc/pam.d/common-account:<pre><nowiki> | |||
account required pam_krb5.so minimum_uid=1000 | |||
account required pam_unix.so | |||
</nowiki></pre> | |||
/etc/pam.d/common-auth:<pre><nowiki> | |||
auth sufficient pam_krb5.so minimum_uid=1000 | |||
auth required pam_unix.so nullok_secure | |||
</nowiki></pre> | |||
/etc/pam.d/common-password:<pre><nowiki> | |||
# NB! Sjekk denne, den ser litt feil ut! | |||
password sufficient pam_krb5.so minimum_uid=1000 | |||
password required pam_unix.so nullok obscure md5 | |||
</nowiki></pre> | |||
/etc/pam.d/common-session:<pre><nowiki> | |||
session optional pam_krb5.so minimum_uid=1000 | |||
session required pam_unix.so | |||
</nowiki></pre> | |||
__NOTOC__ | __NOTOC__ | ||
Revision as of 13:46, 9 January 2010
Installasjon av KDC
Rediger /etc/hosts så public-ipen (f.eks. 129.241.210.168) peker på hostnavnet til kdc, ellers virker det ikke.
Installer heimdal-clients
Legg til dette i bunnen av /etc/krb5.conf for å få de riktige krypto-algoritmene:
[kadmin]
default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt
Installer heimdal-kdc
asgard:~# kadmin -l kadmin> init PVV.NTNU.NO Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin: create_random_entry(krbtgt/PVV.NTNU.NO@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(kadmin/changepw@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(kadmin/admin@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(changepw/kerberos@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(kadmin/hprop@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: kadm5_create_principal: Principal or policy already exists
kadmin> modify -a -disallow-all-tix,requires-pre-auth default
kadmin> get default
Principal: default@PVV.NTNU.NO
Principal expires: never
Password expires: never
Last password change: 2009-06-16 18:16:07 UTC
Max ticket life: 1 day
Max renewable life: 1 week
Kvno: 1
Mkvno: 0
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2009-06-16 18:18:43 UTC
Modifier: kadmin/admin@PVV.NTNU.NO
Attributes: requires-pre-auth
Keytypes: aes256-cts-hmac-sha1-96(pw-salt), aes128-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
PK-INIT ACL:
Aliases:
kadmin> add knuta/admin Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes [requires-pre-auth]: knuta/admin@PVV.NTNU.NO's Password: Verifying - knuta/admin@PVV.NTNU.NO's Password:
Rediger /etc/heimdal-kdc/kadmind.acl og legg til følgende:
knuta/admin all
Lag symlink (på grunn av en bug i heimdal-kdc):
ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/
Rediger /etc/heimdal-kdc/kdc.conf og sett følgende opsjoner:
[password_quality] min_length = 8 [kadmin] default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt
Nye bokser
Legg til host principal
kadmin> add --random-key host/berners-lee.pvv.ntnu.no Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes [requires-pre-auth]:
Logg inn på maskinen.
installer heimdal:
berners-lee:~# aptitude install heimdal-clients
last ned keytab
berners-lee:~# ktutil get -p knuta/admin host/berners-lee.pvv.ntnu.no
Konfigurer pam. Oppsettet kan for eksempel se slik ut på en debian-maskin:
/etc/pam.d/common-account:
account required pam_krb5.so minimum_uid=1000 account required pam_unix.so
/etc/pam.d/common-auth:
auth sufficient pam_krb5.so minimum_uid=1000 auth required pam_unix.so nullok_secure
/etc/pam.d/common-password:
# NB! Sjekk denne, den ser litt feil ut! password sufficient pam_krb5.so minimum_uid=1000 password required pam_unix.so nullok obscure md5
/etc/pam.d/common-session:
session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so