Diff for /wikisrc/kerberos/system.mdwn between versions 1.2 and 1.5

version 1.2, 2009/10/21 01:15:50 version 1.5, 2011/08/01 14:26:18
Line 1 Line 1
 [[!tag kerberos howto]]  [[!tag kerberos howto]]
   
 #### Why Kerberize your system?  #### Why enable Kerberos on your system?
   
 Convenience and security. With  Convenience and security. With
 [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single  [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
 login grants access to all NetBSD web services.  login grants access to all NetBSD web services. Configuration is easy
   and you only have to do it once (sometimes less).
   
 #### [[!toggle id="macosx" text="Mac OS X"]]  #### [[!toggle id="macosx" text="Mac OS X"]]
 [[!toggleable id="macosx" text="""  [[!toggleable id="macosx" text="""
Line 14  To use Kerberized TNF services, log in w Line 15  To use Kerberized TNF services, log in w
 `$ kinit <username>@NETBSD.ORG`  `$ kinit <username>@NETBSD.ORG`
   
 The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!  The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
   
   ##### A Keychain trick
   
   To pop up a GUI password dialog:
   
   `$ kinit <username>@NETBSD.ORG </dev/null`
   
   Check "Remember this password in my keychain" to simplify future
   logins down to a one-word, prompt-free command:
   
   `$ kinit`
 """]]  """]]
   
 #### [[!toggle id="netbsd" text="NetBSD"]]  #### [[!toggle id="netbsd" text="NetBSD"]]
Line 22  NetBSD needs to be configured to prevent Line 34  NetBSD needs to be configured to prevent
 to log into _your_ system, and then to enable Kerberos.  to log into _your_ system, and then to enable Kerberos.
   
 7. Either disable Kerberos auth for `sshd`, `login`, etc. in  7. Either disable Kerberos auth for `sshd`, `login`, etc. in
 `/etc/pam.d`, or tell your relevant services not to use PAM.    `/etc/pam.d`, or tell your relevant services not to use PAM.
 (Note that disabling KerberosAuthentication in `/etc/ssh/sshd_config`  
 does NOT prevent `sshd` from invoking `pam_krb5.so` and prompting     /!\ Disabling KerberosAuthentication in `/etc/ssh/sshd_config` does **NOT** prevent `sshd` from invoking `pam_krb5.so` and prompting for a Kerberos password -- oops. Since you probably do not have a host key in the realm NETBSD.ORG you have little to fear from ssh's KerberosAuthentication method -- nothing can get tickets to use your machine, because there is no host instance for your machine shared between the NetBSD kerberos server and your local keytab. So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM configuration; don't worry about KerberosAuthentication or GSSAPIAuthentication in `sshd` itself.
 for a Kerberos password -- oops. Since you probably do not have a  
 host key in the realm NETBSD.ORG you have little to fear from ssh's  
 KerberosAuthentication method -- nothing can get tickets to use  
 your machine, because there is no host instance for your machine  
 shared between the NetBSD kerberos server and your local keytab.  
 So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM  
 configuration; don't worry about KerberosAuthentication or  
 GSSAPIAuthentication in `sshd` itself.)  
 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.  7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
   
 NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined  NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
Line 43  in DNS. To use Kerberized TNF services,  Line 48  in DNS. To use Kerberized TNF services, 
   
 The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!  The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
 """]]  """]]
   
   #### [[!toggle id="windows" text="Windows XP"]]
   [[!toggleable id="windows" text="""
   
   Windows does not provide an easy way to configure and use KDCs different from the one embedded into an Active Directory.
   
   Therefore, to use [[Kerberos]], you should follow the following steps:
   
   7. Download the [MIT Kerberos for Windows](http://web.mit.edu/Kerberos/dist/#kfw-3.2) installer. It is composed of different tools traditionally found with Kerberos distributions, like [[!template id=man name=kinit section=1]] or [[!template id=man name=klist section=1]], and a Network Identity Manager, an application used to manage credential caching of Kerberos tickets.
   
   7. Install the package. Use the default provided options, then restart the computer.
   
   7. The Network Identity Manager [(PDF)](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/netidmgr_userdoc.pdf) should automatically start when you login. As there is no principal currently configured, it should open a dialog box to obtain the new credentials.
   
   7. Enter your principal:
   
           Username: <username>
           Realm: NETBSD.ORG
   
   7. Click `Ok`. After a few seconds, it should obtain the TGT for you from NetBSD.ORG KDC.
   
   """]]

Removed from v.1.2  
changed lines
  Added in v.1.5


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb