Changeset View
Changeset View
Standalone View
Standalone View
en_US.ISO8859-1/books/handbook/security/chapter.xml
| Show First 20 Lines • Show All 1,201 Lines • ▼ Show 20 Lines | sendmail : PARANOID : deny</programlisting> | ||||
| security concerns. Direct access to the KDC should be | security concerns. Direct access to the KDC should be | ||||
| limited.</para> | limited.</para> | ||||
| <para>While running a <acronym>KDC</acronym> requires few | <para>While running a <acronym>KDC</acronym> requires few | ||||
| computing resources, a dedicated machine acting only as a | computing resources, a dedicated machine acting only as a | ||||
| <acronym>KDC</acronym> is recommended for security | <acronym>KDC</acronym> is recommended for security | ||||
| reasons.</para> | reasons.</para> | ||||
| <para>To begin setting up a <acronym>KDC</acronym>, add these | <para>To begin setting up a <acronym>KDC</acronym>, update | ||||
| lines to <filename>/etc/rc.conf</filename>:</para> | <filename>/etc/rc.conf</filename> using <command>sysrc</command> as follows:</para> | ||||
| <programlisting>kdc_enable="YES" | <screen>&prompt.root; <userinput>sysrc kdc_enable="YES"</userinput> | ||||
| kadmind_enable="YES"</programlisting> | &prompt.root; <userinput>sysrc kadmind_enable="YES"</userinput></screen> | ||||
| <para>Next, edit <filename>/etc/krb5.conf</filename> as | <para>Next, edit <filename>/etc/krb5.conf</filename> as | ||||
| follows:</para> | follows:</para> | ||||
| <programlisting>[libdefaults] | <programlisting>[libdefaults] | ||||
| default_realm = <replaceable>EXAMPLE.ORG</replaceable> | default_realm = <replaceable>EXAMPLE.ORG</replaceable> | ||||
| [realms] | [realms] | ||||
| <replaceable>EXAMPLE.ORG</replaceable> = { | <replaceable>EXAMPLE.ORG</replaceable> = { | ||||
| ▲ Show 20 Lines • Show All 64 Lines • ▼ Show 20 Lines | Verifying password - Master key: <userinput><replaceable>xxxxxxxxxxxxxxxxxxxxxxx</replaceable></userinput></screen> | ||||
| before it is created. At the <command>kadmin</command> | before it is created. At the <command>kadmin</command> | ||||
| prompt, use <command>init</command> to create the realm's | prompt, use <command>init</command> to create the realm's | ||||
| initial database:</para> | initial database:</para> | ||||
| <screen>&prompt.root; <userinput>kadmin -l</userinput> | <screen>&prompt.root; <userinput>kadmin -l</userinput> | ||||
| kadmin> <userinput>init <replaceable>EXAMPLE.ORG</replaceable></userinput> | kadmin> <userinput>init <replaceable>EXAMPLE.ORG</replaceable></userinput> | ||||
| Realm max ticket life [unlimited]:</screen> | Realm max ticket life [unlimited]:</screen> | ||||
| <para>Lastly, while still in <command>kadmin</command>, create | |||||
| the first principal using <command>add</command>. Stick to | <para>Next, add the root user as the administrator user using | ||||
| the default options for the principal for now, as these can be | <command>kadmin</command>, using the <command>add</command>. | ||||
| Stick to the default options for the admin principal for now, as these can be | |||||
| changed later with <command>modify</command>. Type | changed later with <command>modify</command>. Type | ||||
| <literal>?</literal> at the prompt to see the available | <literal>?</literal> at the prompt to see the available | ||||
| options.</para> | options.</para> | ||||
| <screen>kadmin> <userinput>add root/admin</userinput> | |||||
| Max ticket life [unlimited]: | |||||
| Max renewable life [unlimited]: | |||||
| Attributes []: | |||||
| Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput> | |||||
| Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen> | |||||
| <para>Lastly, still in <command>kadmin</command>, create | |||||
| the first principal using <command>add</command>. | |||||
| </para> | |||||
| <screen>kadmin> <userinput>add <replaceable>tillman</replaceable></userinput> | <screen>kadmin> <userinput>add <replaceable>tillman</replaceable></userinput> | ||||
| Max ticket life [unlimited]: | Max ticket life [unlimited]: | ||||
| Max renewable life [unlimited]: | Max renewable life [unlimited]: | ||||
| Attributes []: | Attributes []: | ||||
| Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput> | Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput> | ||||
| Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen> | Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen> | ||||
| <para>Next, start the <acronym>KDC</acronym> services by running | <para>Next, start the <acronym>KDC</acronym> services by running:</para> | ||||
| <command>service kdc start</command> and | |||||
| <command>service kadmind start</command>. While there will | <screen>&prompt.root; <userinput>service kdc start</userinput> | ||||
| not be any kerberized daemons running at this point, it is | &prompt.root; <userinput>service kadmind start</userinput></screen> | ||||
| possible to confirm that the <acronym>KDC</acronym> is | |||||
| functioning by obtaining a ticket for the | <para>While there will not be any kerberized daemons running at this point, | ||||
| principal that was just created:</para> | it is possible to confirm that the <acronym>KDC</acronym> is functioning by | ||||
| obtaining a ticket for the principle that was just created: | |||||
| </para> | |||||
| <screen>&prompt.user; <userinput>kinit <replaceable>tillman</replaceable></userinput> | <screen>&prompt.user; <userinput>kinit <replaceable>tillman</replaceable></userinput> | ||||
| tillman@EXAMPLE.ORG's Password:</screen> | tillman@EXAMPLE.ORG's Password:</screen> | ||||
| <para>Confirm that a ticket was successfully obtained using | <para>Confirm that a ticket was successfully obtained using | ||||
| <command>klist</command>:</para> | <command>klist</command>:</para> | ||||
| <screen>&prompt.user; <userinput>klist</userinput> | <screen>&prompt.user; <userinput>klist</userinput> | ||||
| ▲ Show 20 Lines • Show All 2,822 Lines • Show Last 20 Lines | |||||