Index: en_US.ISO8859-1/books/handbook/security/chapter.xml
===================================================================
--- en_US.ISO8859-1/books/handbook/security/chapter.xml
+++ en_US.ISO8859-1/books/handbook/security/chapter.xml
@@ -1207,11 +1207,15 @@
KDC is recommended for security
reasons.
- To begin setting up a KDC, add these
- lines to /etc/rc.conf:
+ To begin install the security/heimdal package as follows:
- kdc_enable="YES"
-kadmind_enable="YES"
+ &prompt.root; pkg install security/heimdal
+
+ Next, update /etc/rc.conf using sysrc
+ as follows:
+
+ &prompt.root; sysrc kdc_enable="YES"
+&prompt.root; sysrc kadmind_enable="YES"Next, edit /etc/krb5.conf as
follows:
@@ -1292,27 +1296,46 @@
kadmin> init EXAMPLE.ORG
Realm max ticket life [unlimited]:
- Lastly, while still in kadmin, create
- the first principal using add. Stick to
- the default options for the principal for now, as these can be
+
+ Next, add the root user as the administrator user using
+ kadmin, using the add.
+ Stick to the default options for the admin principal for now, as these can be
changed later with modify. Type
? at the prompt to see the available
options.
+ kadmin> add root/admin
+Max ticket life [unlimited]:
+Max renewable life [unlimited]:
+Principal expiration time [never]:
+Password expiration time [never]:
+Attributes []:
+Password: xxxxxxxx
+Verifying password - Password: xxxxxxxx
+
+
+ Lastly, still in kadmin, create a non-administrative
+ principal using add.
+
+
kadmin> add tillman
Max ticket life [unlimited]:
Max renewable life [unlimited]:
+Principal expiration time [never]:
+Password expiration time [never]:
Attributes []:
Password: xxxxxxxx
Verifying password - Password: xxxxxxxx
- Next, start the KDC services by running
- service kdc start and
- service kadmind start. While there will
- not be any kerberized daemons running at this point, it is
- possible to confirm that the KDC is
- functioning by obtaining a ticket for the
- principal that was just created:
+ Next, start the KDC services by running:
+
+ &prompt.root; service kdc start
+&prompt.root; service kadmind start
+
+ While there will not be any kerberized daemons running at this point,
+ it is possible to confirm that the KDC is functioning by
+ obtaining a ticket for the principle that was just created:
+ &prompt.user; kinit tillman
tillman@EXAMPLE.ORG's Password:
@@ -1380,7 +1403,7 @@
kadmin will prompt for the password to get
a fresh ticket. The principal authenticating to the kadmin
service must be permitted to use the kadmin
- interface, as specified in kadmind.acl.
+ interface, as specified in /var/heimdal/kadmind.acl.
See the section titled Remote administration in
info heimdal for details on designing
access control lists. Instead of enabling remote
@@ -1756,8 +1779,8 @@
Heimdal
- Kerberos home
+ xlink:href="https://github.com/heimdal/heimdal/wiki">Heimdal
+ Kerberos project wiki
page