Diff for /wikisrc/kerberos/system.mdwn between versions 1.7 and 1.10

version 1.7, 2011/08/06 00:09:47 version 1.10, 2013/05/26 14:37:31
Line 1 Line 1
 [[!tag kerberos howto]]  [[!tag kerberos howto]]
   
 #### Why enable Kerberos on your system?  ## Why enable Kerberos on your system?
   
 Convenience and security. With  Convenience and security. With
 [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single  [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
 login grants access to all NetBSD web services. Configuration is easy  login grants access to all NetBSD web services. Configuration is easy
 and you only have to do it once (sometimes less).  and you only have to do it once (sometimes less).
   
 #### [[!toggle id="macosx" text="Mac OS X"]]  
 [[!toggleable id="macosx" text="""  ## NetBSD
   
   NetBSD needs to be configured to prevent Kerberos from being used
   to log into _your_ system, and then to enable Kerberos.
   
   7. Either disable Kerberos auth for `sshd`, `login`, etc. in
   `/etc/pam.d`, or tell your relevant services not to use PAM.
   
      /!\ Disabling KerberosAuthentication in `/etc/ssh/sshd_config` does **NOT** prevent `sshd` from invoking `pam_krb5.so` and prompting for a Kerberos password -- oops. Since you probably do not have a host key in the realm NETBSD.ORG you have little to fear from ssh's KerberosAuthentication method -- nothing can get tickets to use your machine, because there is no host instance for your machine shared between the NetBSD kerberos server and your local keytab. So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM configuration; don't worry about KerberosAuthentication or GSSAPIAuthentication in `sshd` itself.
   
   7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
   
   NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
   in DNS. To use Kerberized TNF services, log in with your Kerberos
   [[password]]:
   
       $ kinit <username>@NETBSD.ORG
   
   The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
   
   
   ## Mac OS X
   
 OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.  OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
 To use Kerberized TNF services, log in with your Kerberos [[password]]:  To use Kerberized TNF services, log in with your Kerberos [[password]]:
   
 `$ kinit <username>@NETBSD.ORG`      $ kinit <username>@NETBSD.ORG
   
 The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!  The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
   
 ##### A Keychain.app trick  ### A Keychain.app trick
   
 To pop up a GUI password dialog:  To pop up a GUI password dialog:
   
 `$ kinit <username>@NETBSD.ORG </dev/null`      $ kinit <username>@NETBSD.ORG </dev/null
   
 Check "Remember this password in my keychain" to make future Kerberos  Check "Remember this password in my keychain" to make future Kerberos
 logins (sans input redirection) prompt-free.  logins (sans input redirection) prompt-free.
 """]]  
   
 #### [[!toggle id="netbsd" text="NetBSD"]]  ### Storing the Kerberos Password in Your Keychain
 [[!toggleable id="netbsd" text="""  
 NetBSD needs to be configured to prevent Kerberos from being used  
 to log into _your_ system, and then to enable Kerberos.  
   
 7. Either disable Kerberos auth for `sshd`, `login`, etc. in  Let us say you have an account "bob" on the realm "NETBSD.ORG" with password "mypasswd". Then in a Terminal type on one single line
 `/etc/pam.d`, or tell your relevant services not to use PAM.  
   
    /!\ Disabling KerberosAuthentication in `/etc/ssh/sshd_config` does **NOT** prevent `sshd` from invoking `pam_krb5.so` and prompting for a Kerberos password -- oops. Since you probably do not have a host key in the realm NETBSD.ORG you have little to fear from ssh's KerberosAuthentication method -- nothing can get tickets to use your machine, because there is no host instance for your machine shared between the NetBSD kerberos server and your local keytab. So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM configuration; don't worry about KerberosAuthentication or GSSAPIAuthentication in `sshd` itself.      security add-generic-password -a "bob" -l "NETBSD.ORG (bob)" -s "NETBSD.ORG" -w "mypasswd" -c "aapl" -T "/usr/bin/kinit"
   
 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.  This will create an item in your default Keychain named "NETBSD.ORG (bob)" with your Kerberos credentials and kinit it will be authorized to access it. You can add as many -T "/fulpath/program" switches as you want, each will give access to the specific program to use your kerberos credentials. For example -T "/Applications/Mail.app/Contents/MacOS/Mail" will add access for Mail.app.
   
 NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined  More details with man security.
 in DNS. To use Kerberized TNF services, log in with your Kerberos  
 [[password]]:  
   
 `$ kinit <username>@NETBSD.ORG`  After that kinit bob@NETBSD.ORG will not prompt you for a password but will get it from the keychain.
   
 The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!  (This tip is orignally from [superuser.com](http://superuser.com/questions/360262/integrate-kerberos-and-keychain))
 """]]  
   
 #### [[!toggle id="windows" text="Windows XP"]]  ## Windows XP
 [[!toggleable id="windows" text="""  
   
 Windows does not provide an easy way to configure and use KDCs different from the one embedded into an Active Directory.  Windows does not provide an easy way to configure and use KDCs
   different from the one embedded into an Active Directory.
   
 Therefore, to use [[Kerberos]], you should follow the following steps:  Therefore, to use [[Kerberos]], you should follow the following
   steps:
   
 7. Download the [MIT Kerberos for Windows](http://web.mit.edu/Kerberos/dist/#kfw-3.2) installer. It is composed of different tools traditionally found with Kerberos distributions, like [[!template id=man name=kinit section=1]] or [[!template id=man name=klist section=1]], and a Network Identity Manager, an application used to manage credential caching of Kerberos tickets.  7. Download the
      [MIT Kerberos for Windows](http://web.mit.edu/Kerberos/dist/#kfw-3.2)
      installer. It is composed of different tools traditionally found
      with Kerberos distributions, like
      [[!template id=man name=kinit section=1]] or
      [[!template id=man name=klist section=1]], and a Network Identity
      Manager, an application used to manage credential caching of
      Kerberos tickets.
   
 7. Install the package. Use the default provided options, then restart the computer.  7. Install the package. Use the default provided options, then
      restart the computer.
   
 7. The Network Identity Manager [(PDF)](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/netidmgr_userdoc.pdf) should automatically start when you login. As there is no principal currently configured, it should open a dialog box to obtain the new credentials.  7. The Network Identity Manager
      [(PDF)](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/netidmgr_userdoc.pdf)
      should automatically start when you login. As there is no principal
      currently configured, it should open a dialog box to obtain the
      new credentials.
   
 7. Enter your principal:  7. Enter your principal:
   
         Username: <username>      Username: <username>
         Realm: NETBSD.ORG      Realm: NETBSD.ORG
   
 7. Click `Ok`. After a few seconds, it should obtain the TGT for you from NetBSD.ORG KDC.  
   
 """]]  7. Click `Ok`. After a few seconds, it should obtain the TGT for
      you from the NETBSD.ORG KDC.

Removed from v.1.7  
changed lines
  Added in v.1.10


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb