Drift/Kerberos
< Drift
Nye kerberos-klienter
Legg til host principal
knuta@kvikk ~ $ kadmin -p knuta/admin kadmin> add --random-key host/berners-lee.pvv.ntnu.no Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes [requires-pre-auth]:
Logg inn på maskinen.
installer heimdal:
berners-lee:~# aptitude install heimdal-clients
last ned keytab
berners-lee:~# ktutil get -p knuta/admin host/berners-lee.pvv.ntnu.no
Konfigurer pam. Oppsettet kan for eksempel se slik ut på en debian-maskin:
/etc/pam.d/common-account:
account required pam_krb5.so minimum_uid=1000 account required pam_unix.so
/etc/pam.d/common-auth:
auth sufficient pam_krb5.so minimum_uid=1000 auth required pam_unix.so nullok_secure
/etc/pam.d/common-password:
# NB! Sjekk denne, den ser litt feil ut! password sufficient pam_krb5.so minimum_uid=1000 password required pam_unix.so nullok obscure md5
/etc/pam.d/common-session:
session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so
Installasjon av KDC
Rediger /etc/hosts så public-ipen (f.eks. 129.241.210.168) peker på hostnavnet til kdc, ellers virker det ikke.
Installer heimdal-clients
Legg til dette i bunnen av /etc/krb5.conf for å få de riktige krypto-algoritmene:
[kadmin]
default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt
Installer heimdal-kdc
asgard:~# kadmin -l kadmin> init PVV.NTNU.NO Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin: create_random_entry(krbtgt/PVV.NTNU.NO@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(kadmin/changepw@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(kadmin/admin@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(changepw/kerberos@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: create_random_entry(kadmin/hprop@PVV.NTNU.NO): randkey failed: Principal or policy already exists kadmin: kadm5_create_principal: Principal or policy already exists
kadmin> modify -a -disallow-all-tix,requires-pre-auth default
kadmin> get default
Principal: default@PVV.NTNU.NO
Principal expires: never
Password expires: never
Last password change: 2009-06-16 18:16:07 UTC
Max ticket life: 1 day
Max renewable life: 1 week
Kvno: 1
Mkvno: 0
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2009-06-16 18:18:43 UTC
Modifier: kadmin/admin@PVV.NTNU.NO
Attributes: requires-pre-auth
Keytypes: aes256-cts-hmac-sha1-96(pw-salt), aes128-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
PK-INIT ACL:
Aliases:
kadmin> add knuta/admin Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes [requires-pre-auth]: knuta/admin@PVV.NTNU.NO's Password: Verifying - knuta/admin@PVV.NTNU.NO's Password:
Rediger /etc/heimdal-kdc/kadmind.acl og legg til følgende:
knuta/admin all
Lag symlink (på grunn av en bug i heimdal-kdc):
ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/
Rediger /etc/heimdal-kdc/kdc.conf og sett følgende opsjoner:
[password_quality] min_length = 8 [kadmin] default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt