Re: Help with Kerberos 5 setup
On Thu, Feb 13, 2003 at 09:54:33PM -0800, La Temperanza wrote: Thanks, your PDF helped me get k5su up and running. Now can you help me switch my console login service to Kerberos? :) I don't quite get the man pages for PAM and am worried about locking myself out of my system if I do something wrong. Step number 1: log in a different virtual console and leave it logged in. This console is known as insurance ;-) It's really not that hard with a fairly recent FreeBSD ... there should be a pam_krb5 already in there (but commented out). pam.conf is broken into sections, corresponding to the different services that might require authentication. The first block in the pam.conf is for the console login service. Try uncommenting the pam_krb5 line and logging in on a third virtual service. I'm not actually using pam for services other than console login - while pam is great for centralizing authentication, it doesn't magically add encryption of the data stream to the various service daemons (the MIT kerberoos -x switch for most app's). You'll needs service daemons that specifically support that. Hmmm. Now that I think about it, with Heimdal in the base install, the normal daemons /might/ actually do that. It doesn't apply to me as I'm use MIT krb5, but it'd be worth investigating if you're using the heimdal in the base install. - Tillman -- Simplicity is the most difficult thing to secure in this world; it is the last limit of experience and the last effort of genius. George Sand To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Help with Kerberos 5 setup
Thanks, your PDF helped me get k5su up and running. Now can you help me switch my console login service to Kerberos? :) I don't quite get the man pages for PAM and am worried about locking myself out of my system if I do something wrong. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Help with Kerberos 5 setup
Hello, I'm a newbie to Kerberos trying to set it up at the suggestion of the handbook's Securing FreeBSD section. However, the Kerberos section is heavily biased towards version 4 and I'm not sure if it's leading me on the right track. I've figured out how to edit krb5.conf to set my realms, boot up kadmind and kdc in rc.conf, init the database using k5admin and stash my master key. However, when adding the two principals the handbook says are needed I get a few warning messages which I'm nervous about. kadmin add --random-password passwd root/admin@SAKURA's Password: Max ticket life [unlimited]: Max renewable life [unlimited]: Principal expiration time [never]: Password expiration time [never]: Attributes []: root/admin@SAKURA's Password: k5admin: kadm5_create_principal: Client (root/admin@SAKURA) unknown added passwd@SAKURA with password `not4u2c' k5admin: adding passwd: Client not found in Kerberos database It looks like all I need to do is add myself in as a client somehow, but I'd like to be reassured that the handbook's setup instructions for Kerberos 4 are also the right ones under Kerberos 5. Can anyone do that, or help me through the correct setup procedure if it's different? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Help with Kerberos 5 setup
On Thu, Feb 13, 2003 at 11:22:54AM -0800, La Temperanza wrote: Hello, I'm a newbie to Kerberos trying to set it up at the suggestion of the handbook's Securing FreeBSD section. However, the Kerberos section is heavily biased towards version 4 and I'm not sure if it's leading me on the right track. I've figured out how to edit krb5.conf to set my realms, boot up kadmind and kdc in rc.conf, init the database using k5admin and stash my master key. However, when adding the two principals the handbook says are needed I get a few warning messages which I'm nervous about. snip It looks like all I need to do is add myself in as a client somehow, but I'd like to be reassured that the handbook's setup instructions for Kerberos 4 are also the right ones under Kerberos 5. Can anyone do that, or help me through the correct setup procedure if it's different? No, the instructions are similar but different. If you're using the Heimdal krb5 (part of the base system or via ports), you'll want to read http://www.pdc.kth.se/heimdal/heimdal.html#Setting%20up%20a%20realm. If you're using the MIT krb5 port (what I'm runnign these days, though I started with Heimdal) you'll want to read http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.7/doc/install.html#SEC39. More information on Kerberos that I've collected over time is at http://www.rospa.ca/projects/kerberos/resources.html. Good luck, - Tillman -- Page xxviii: More than any other computer system today, Unix will repay every moment that you spend learning and experimenting. - Harley Hahn, _The Unix Companion_ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
