Diff for /wikisrc/kerberos/system.mdwn between versions 1.1.1.1 and 1.2

version 1.1.1.1, 2009/10/21 01:06:48 version 1.2, 2009/10/21 01:15:50
Line 2 Line 2
   
 #### Why Kerberize your system?  #### Why Kerberize your system?
   
 Convenience and security. With [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single login grants access to all NetBSD web services.  Convenience and security. With
   [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
   login grants access to all NetBSD web services.
   
 #### [[!toggle id="macosx" text="Mac OS X"]]  #### [[!toggle id="macosx" text="Mac OS X"]]
 [[!toggleable id="macosx" text="""  [[!toggleable id="macosx" text="""
 OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS. To use Kerberized TNF services, log in with your Kerberos [[password]]:  OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
   To use Kerberized TNF services, log in with your Kerberos [[password]]:
   
 `$ kinit <username>@NETBSD.ORG`  `$ kinit <username>@NETBSD.ORG`
   
Line 15  The right-hand side is a Kerberos realm, Line 18  The right-hand side is a Kerberos realm,
   
 #### [[!toggle id="netbsd" text="NetBSD"]]  #### [[!toggle id="netbsd" text="NetBSD"]]
 [[!toggleable id="netbsd" text="""  [[!toggleable id="netbsd" text="""
 NetBSD needs to be configured to prevent Kerberos from being used to log into _your_ system, and then to enable Kerberos.  NetBSD needs to be configured to prevent Kerberos from being used
   to log into _your_ system, and then to enable Kerberos.
   
 7. Either disable Kerberos auth for `sshd`, `login`, etc. in `/etc/pam.d`, or tell your relevant services not to use PAM.    7. Either disable Kerberos auth for `sshd`, `login`, etc. in
 (Note that disabling KerberosAuthentication in `/etc/ssh/sshd_config` does NOT prevent `sshd` from invoking `pam_krb5.so` and prompting for a Kerberos password -- oops. Since you probably do not have a host key in the realm NETBSD.ORG you have little to fear from ssh's KerberosAuthentication method -- nothing can get tickets to use your machine, because there is no host instance for your machine shared between the NetBSD kerberos server and your local keytab. So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM configuration; don't worry about KerberosAuthentication or GSSAPIAuthentication in `sshd` itself.)  `/etc/pam.d`, or tell your relevant services not to use PAM.  
   (Note that disabling KerberosAuthentication in `/etc/ssh/sshd_config`
   does NOT prevent `sshd` from invoking `pam_krb5.so` and prompting
   for a Kerberos password -- oops. Since you probably do not have a
   host key in the realm NETBSD.ORG you have little to fear from ssh's
   KerberosAuthentication method -- nothing can get tickets to use
   your machine, because there is no host instance for your machine
   shared between the NetBSD kerberos server and your local keytab.
   So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM
   configuration; don't worry about KerberosAuthentication or
   GSSAPIAuthentication in `sshd` itself.)
 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.  7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
   
 NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined in DNS. To use Kerberized TNF services, log in with your Kerberos [[password]]:  NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
   in DNS. To use Kerberized TNF services, log in with your Kerberos
   [[password]]:
   
 `$ kinit <username>@NETBSD.ORG`  `$ kinit <username>@NETBSD.ORG`
   

Removed from v.1.1.1.1  
changed lines
  Added in v.1.2


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb