Drift/Kerberos

From Programvareverkstedet
< Drift
Revision as of 12:55, 9 January 2010 by Knuta (talk | contribs) (initial revision)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Installasjon av KDC

Rediger /etc/hosts så public-ipen (f.eks. 129.241.210.168) peker på hostnavnet til kdc, ellers virker det ikke.

Installer heimdal-clients

Legg til dette i bunnen av /etc/krb5.conf for å få de riktige krypto-algoritmene: {{ [kadmin] 

       default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt

}}

Installer heimdal-kdc

Template:Asgard:~

{{ kadmin> modify -a -disallow-all-tix,requires-pre-auth default kadmin> get default 

           Principal: default@PVV.NTNU.NO
   Principal expires: never
    Password expires: never
Last password change: 2009-06-16 18:16:07 UTC
     Max ticket life: 1 day
  Max renewable life: 1 week
                Kvno: 1
               Mkvno: 0

Last successful login: never 

   Last failed login: never
  Failed login count: 0
       Last modified: 2009-06-16 18:18:43 UTC
            Modifier: kadmin/admin@PVV.NTNU.NO
          Attributes: requires-pre-auth
            Keytypes: aes256-cts-hmac-sha1-96(pw-salt), aes128-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
         PK-INIT ACL: 
             Aliases:

}}

{{ kadmin> add knuta/admin Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes [requires-pre-auth]: knuta/admin@PVV.NTNU.NO's Password: Verifying - knuta/admin@PVV.NTNU.NO's Password: }}

Rediger /etc/heimdal-kdc/kadmind.acl og legg til følgende:

knuta/admin all

Lag symlink (på grunn av en bug i heimdal-kdc): 

ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/

Rediger /etc/heimdal-kdc/kdc.conf og sett følgende opsjoner: 

[password_quality]
min_length = 8

[kadmin]
default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt

Nye bokser

Legg til host principal 

kadmin> add --random-key host/berners-lee.pvv.ntnu.no
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes [requires-pre-auth]:

Logg inn på maskinen.

installer heimdal: 

berners-lee:~# aptitude install heimdal-clients

last ned keytab 

berners-lee:~# ktutil get -p knuta/admin host/berners-lee.pvv.ntnu.no

Konfigurer pam (TODO: Dokumenter dette)


Retrieved from "https://wiki.pvv.ntnu.no/w/index.php?title=Drift/Kerberos&oldid=2577"