Return to system.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc / kerberos

Annotation of wikisrc/kerberos/system.mdwn, revision 1.2

1.1       schmonz     1: [[!tag kerberos howto]]
                      2: 
                      3: #### Why Kerberize your system?
                      4: 
1.2     ! schmonz     5: Convenience and security. With
        !             6: [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
        !             7: login grants access to all NetBSD web services.
1.1       schmonz     8: 
                      9: #### [[!toggle id="macosx" text="Mac OS X"]]
                     10: [[!toggleable id="macosx" text="""
1.2     ! schmonz    11: OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
        !            12: To use Kerberized TNF services, log in with your Kerberos [[password]]:
1.1       schmonz    13: 
                     14: `$ kinit <username>@NETBSD.ORG`
                     15: 
                     16: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
                     17: """]]
                     18: 
                     19: #### [[!toggle id="netbsd" text="NetBSD"]]
                     20: [[!toggleable id="netbsd" text="""
1.2     ! schmonz    21: NetBSD needs to be configured to prevent Kerberos from being used
        !            22: to log into _your_ system, and then to enable Kerberos.
1.1       schmonz    23: 
1.2     ! schmonz    24: 7. Either disable Kerberos auth for `sshd`, `login`, etc. in
        !            25: `/etc/pam.d`, or tell your relevant services not to use PAM.  
        !            26: (Note that disabling KerberosAuthentication in `/etc/ssh/sshd_config`
        !            27: does NOT prevent `sshd` from invoking `pam_krb5.so` and prompting
        !            28: for a Kerberos password -- oops. Since you probably do not have a
        !            29: host key in the realm NETBSD.ORG you have little to fear from ssh's
        !            30: KerberosAuthentication method -- nothing can get tickets to use
        !            31: your machine, because there is no host instance for your machine
        !            32: shared between the NetBSD kerberos server and your local keytab.
        !            33: So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM
        !            34: configuration; don't worry about KerberosAuthentication or
        !            35: GSSAPIAuthentication in `sshd` itself.)
1.1       schmonz    36: 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
                     37: 
1.2     ! schmonz    38: NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
        !            39: in DNS. To use Kerberized TNF services, log in with your Kerberos
        !            40: [[password]]:
1.1       schmonz    41: 
                     42: `$ kinit <username>@NETBSD.ORG`
                     43: 
                     44: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
                     45: """]]