Diff for /wikisrc/kerberos/system.mdwn between versions 1.1 and 1.12

version 1.1, 2009/10/21 01:06:48 version 1.12, 2015/02/04 03:16:53
Line 1 Line 1
 [[!tag kerberos howto]]  [[!tag kerberos howto]]
   
 #### Why Kerberize your system?  ## Why enable Kerberos on your system?
   
 Convenience and security. With [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single login grants access to all NetBSD web services.  Convenience and security. With
   [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
   login grants access to all NetBSD web services. Configuration is easy
   and you only have to do it once (sometimes less).
   
 #### [[!toggle id="macosx" text="Mac OS X"]]  
 [[!toggleable id="macosx" text="""  
 OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS. To use Kerberized TNF services, log in with your Kerberos [[password]]:  
   
 `$ kinit <username>@NETBSD.ORG`  ## NetBSD
   
 The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!  NetBSD needs to be configured to prevent Kerberos from being used
 """]]  to log into _your_ system, and then to enable Kerberos.
   
 #### [[!toggle id="netbsd" text="NetBSD"]]  7. Either disable Kerberos auth for `sshd`, `login`, etc. in
 [[!toggleable id="netbsd" text="""  `/etc/pam.d`, or tell your relevant services not to use PAM.
 NetBSD needs to be configured to prevent Kerberos from being used to log into _your_ system, and then to enable Kerberos.  
      /!\ Disabling KerberosAuthentication in `/etc/ssh/sshd_config` does **NOT** prevent `sshd` from invoking `pam_krb5.so` and prompting for a Kerberos password -- oops. Since you probably do not have a host key in the realm NETBSD.ORG you have little to fear from ssh's KerberosAuthentication method -- nothing can get tickets to use your machine, because there is no host instance for your machine shared between the NetBSD kerberos server and your local keytab. So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM configuration; don't worry about KerberosAuthentication or GSSAPIAuthentication in `sshd` itself.
   
 7. Either disable Kerberos auth for `sshd`, `login`, etc. in `/etc/pam.d`, or tell your relevant services not to use PAM.    
 (Note that disabling KerberosAuthentication in `/etc/ssh/sshd_config` does NOT prevent `sshd` from invoking `pam_krb5.so` and prompting for a Kerberos password -- oops. Since you probably do not have a host key in the realm NETBSD.ORG you have little to fear from ssh's KerberosAuthentication method -- nothing can get tickets to use your machine, because there is no host instance for your machine shared between the NetBSD kerberos server and your local keytab. So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM configuration; don't worry about KerberosAuthentication or GSSAPIAuthentication in `sshd` itself.)  
 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.  7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
   
 NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined in DNS. To use Kerberized TNF services, log in with your Kerberos [[password]]:  NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
   in DNS. To use Kerberized TNF services, log in with your Kerberos
   [[password]]:
   
       $ kinit <username>@NETBSD.ORG
   
   The right-hand side is a Kerberos realm, not a DNS domain. *Case is significant!*
   
   
   ## Mac OS X
   
   OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
   To use Kerberized TNF services, log in with your Kerberos [[password]]:
   
   7. Launch the `Ticket Viewer.app` from `/System/Library/CoreServices`
   
   7. Press the "Add Identity" button
   
   7. In the identity field enter your `<username>@NETBSD.ORG`
   
       The right-hand side is a Kerberos realm, not a DNS domain. *Case is significant!*
   
   7. Enter the password associated with this identity in the password field
   
      By default Ticket Viewer.app will save password details in keychain, un-tick "Remember password in my keychain" if this is not desired behaviour
   
   7. Press continue
   
   If successful, you'll be returned to the main window with a new entry below the icons containing `<username>@NETBSD.ORG` and the date and time which the ticket obtained is due to expired.
   
   ## Windows XP
   
   Windows does not provide an easy way to configure and use KDCs
   different from the one embedded into an Active Directory.
   
   Therefore, to use [[Kerberos]], you should follow the following
   steps:
   
   7. Download the
      [MIT Kerberos for Windows](http://web.mit.edu/Kerberos/dist/#kfw-3.2)
      installer. It is composed of different tools traditionally found
      with Kerberos distributions, like
      [[!template id=man name=kinit section=1]] or
      [[!template id=man name=klist section=1]], and a Network Identity
      Manager, an application used to manage credential caching of
      Kerberos tickets.
   
   7. Install the package. Use the default provided options, then
      restart the computer.
   
   7. The Network Identity Manager
      [(PDF)](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/netidmgr_userdoc.pdf)
      should automatically start when you login. As there is no principal
      currently configured, it should open a dialog box to obtain the
      new credentials.
   
   7. Enter your principal:
   
 `$ kinit <username>@NETBSD.ORG`      Username: <username>
       Realm: NETBSD.ORG
   
 The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!  7. Click `Ok`. After a few seconds, it should obtain the TGT for
 """]]     you from the NETBSD.ORG KDC.

Removed from v.1.1  
changed lines
  Added in v.1.12


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb