Changeset View
Changeset View
Standalone View
Standalone View
en_US.ISO8859-1/books/handbook/security/chapter.xml
Show First 20 Lines • Show All 1,201 Lines • ▼ Show 20 Lines | sendmail : PARANOID : deny</programlisting> | ||||
security concerns. Direct access to the KDC should be | security concerns. Direct access to the KDC should be | ||||
limited.</para> | limited.</para> | ||||
<para>While running a <acronym>KDC</acronym> requires few | <para>While running a <acronym>KDC</acronym> requires few | ||||
computing resources, a dedicated machine acting only as a | computing resources, a dedicated machine acting only as a | ||||
<acronym>KDC</acronym> is recommended for security | <acronym>KDC</acronym> is recommended for security | ||||
reasons.</para> | reasons.</para> | ||||
<para>To begin setting up a <acronym>KDC</acronym>, add these | <para>To begin setting up a <acronym>KDC</acronym>, update | ||||
lines to <filename>/etc/rc.conf</filename>:</para> | <filename>/etc/rc.conf</filename> using <command>sysrc</command> as follows:</para> | ||||
<programlisting>kdc_enable="YES" | <screen>&prompt.root; <userinput>sysrc kdc_enable="YES"</userinput> | ||||
kadmind_enable="YES"</programlisting> | &prompt.root; <userinput>sysrc kadmind_enable="YES"</userinput></screen> | ||||
<para>Next, edit <filename>/etc/krb5.conf</filename> as | <para>Next, edit <filename>/etc/krb5.conf</filename> as | ||||
follows:</para> | follows:</para> | ||||
<programlisting>[libdefaults] | <programlisting>[libdefaults] | ||||
default_realm = <replaceable>EXAMPLE.ORG</replaceable> | default_realm = <replaceable>EXAMPLE.ORG</replaceable> | ||||
[realms] | [realms] | ||||
<replaceable>EXAMPLE.ORG</replaceable> = { | <replaceable>EXAMPLE.ORG</replaceable> = { | ||||
▲ Show 20 Lines • Show All 64 Lines • ▼ Show 20 Lines | Verifying password - Master key: <userinput><replaceable>xxxxxxxxxxxxxxxxxxxxxxx</replaceable></userinput></screen> | ||||
before it is created. At the <command>kadmin</command> | before it is created. At the <command>kadmin</command> | ||||
prompt, use <command>init</command> to create the realm's | prompt, use <command>init</command> to create the realm's | ||||
initial database:</para> | initial database:</para> | ||||
<screen>&prompt.root; <userinput>kadmin -l</userinput> | <screen>&prompt.root; <userinput>kadmin -l</userinput> | ||||
kadmin> <userinput>init <replaceable>EXAMPLE.ORG</replaceable></userinput> | kadmin> <userinput>init <replaceable>EXAMPLE.ORG</replaceable></userinput> | ||||
Realm max ticket life [unlimited]:</screen> | Realm max ticket life [unlimited]:</screen> | ||||
<para>Lastly, while still in <command>kadmin</command>, create | |||||
the first principal using <command>add</command>. Stick to | <para>Next, add the root user as the administrator user using | ||||
the default options for the principal for now, as these can be | <command>kadmin</command>, using the <command>add</command>. | ||||
Stick to the default options for the admin principal for now, as these can be | |||||
changed later with <command>modify</command>. Type | changed later with <command>modify</command>. Type | ||||
<literal>?</literal> at the prompt to see the available | <literal>?</literal> at the prompt to see the available | ||||
options.</para> | options.</para> | ||||
<screen>kadmin> <userinput>add root/admin</userinput> | |||||
Max ticket life [unlimited]: | |||||
Max renewable life [unlimited]: | |||||
Attributes []: | |||||
Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput> | |||||
Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen> | |||||
<para>Lastly, still in <command>kadmin</command>, create | |||||
the first principal using <command>add</command>. | |||||
</para> | |||||
<screen>kadmin> <userinput>add <replaceable>tillman</replaceable></userinput> | <screen>kadmin> <userinput>add <replaceable>tillman</replaceable></userinput> | ||||
Max ticket life [unlimited]: | Max ticket life [unlimited]: | ||||
Max renewable life [unlimited]: | Max renewable life [unlimited]: | ||||
Attributes []: | Attributes []: | ||||
Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput> | Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput> | ||||
Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen> | Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen> | ||||
<para>Next, start the <acronym>KDC</acronym> services by running | <para>Next, start the <acronym>KDC</acronym> services by running:</para> | ||||
<command>service kdc start</command> and | |||||
<command>service kadmind start</command>. While there will | <screen>&prompt.root; <userinput>service kdc start</userinput> | ||||
not be any kerberized daemons running at this point, it is | &prompt.root; <userinput>service kadmind start</userinput></screen> | ||||
possible to confirm that the <acronym>KDC</acronym> is | |||||
functioning by obtaining a ticket for the | <para>While there will not be any kerberized daemons running at this point, | ||||
principal that was just created:</para> | it is possible to confirm that the <acronym>KDC</acronym> is functioning by | ||||
obtaining a ticket for the principle that was just created: | |||||
</para> | |||||
<screen>&prompt.user; <userinput>kinit <replaceable>tillman</replaceable></userinput> | <screen>&prompt.user; <userinput>kinit <replaceable>tillman</replaceable></userinput> | ||||
tillman@EXAMPLE.ORG's Password:</screen> | tillman@EXAMPLE.ORG's Password:</screen> | ||||
<para>Confirm that a ticket was successfully obtained using | <para>Confirm that a ticket was successfully obtained using | ||||
<command>klist</command>:</para> | <command>klist</command>:</para> | ||||
<screen>&prompt.user; <userinput>klist</userinput> | <screen>&prompt.user; <userinput>klist</userinput> | ||||
▲ Show 20 Lines • Show All 2,822 Lines • Show Last 20 Lines |