Annotation of wikisrc/kerberos/system.mdwn, revision 1.3
1.1 schmonz 1: [[!tag kerberos howto]]
2:
1.3 ! wiki 3: #### Why enable Kerberos on your system?
1.1 schmonz 4:
1.2 schmonz 5: Convenience and security. With
6: [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
1.3 ! wiki 7: login grants access to all NetBSD web services. Configuration is easy
! 8: and you only have to do it once (sometimes less).
1.1 schmonz 9:
10: #### [[!toggle id="macosx" text="Mac OS X"]]
11: [[!toggleable id="macosx" text="""
1.2 schmonz 12: OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
13: To use Kerberized TNF services, log in with your Kerberos [[password]]:
1.1 schmonz 14:
15: `$ kinit <username>@NETBSD.ORG`
16:
17: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
18: """]]
19:
20: #### [[!toggle id="netbsd" text="NetBSD"]]
21: [[!toggleable id="netbsd" text="""
1.2 schmonz 22: NetBSD needs to be configured to prevent Kerberos from being used
23: to log into _your_ system, and then to enable Kerberos.
1.1 schmonz 24:
1.2 schmonz 25: 7. Either disable Kerberos auth for `sshd`, `login`, etc. in
26: `/etc/pam.d`, or tell your relevant services not to use PAM.
27: (Note that disabling KerberosAuthentication in `/etc/ssh/sshd_config`
28: does NOT prevent `sshd` from invoking `pam_krb5.so` and prompting
29: for a Kerberos password -- oops. Since you probably do not have a
30: host key in the realm NETBSD.ORG you have little to fear from ssh's
31: KerberosAuthentication method -- nothing can get tickets to use
32: your machine, because there is no host instance for your machine
33: shared between the NetBSD kerberos server and your local keytab.
34: So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM
35: configuration; don't worry about KerberosAuthentication or
36: GSSAPIAuthentication in `sshd` itself.)
1.1 schmonz 37: 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
38:
1.2 schmonz 39: NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
40: in DNS. To use Kerberized TNF services, log in with your Kerberos
41: [[password]]:
1.1 schmonz 42:
43: `$ kinit <username>@NETBSD.ORG`
44:
45: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
46: """]]
1.3 ! wiki 47:
! 48: #### [[!toggle id="windows" text="Windows XP"]]
! 49: [[!toggleable id="windows" text="""
! 50: Windows docs generally assume you want to add your machine to the realm and use Kerberos logins as system logins. This is not what we want.
! 51:
! 52: Progress so far:
! 53:
! 54: 7. Download [Windows XP Service Pack 2 Support Tools](http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38).
! 55: 7. Install custom/full (whatever it takes to get everything installed).
! 56: 7. From the Start menu, choose Run and enter `cmd` to get to the prompt.
! 57: 7. `ksetup /AddKdc NETBSD.ORG`
! 58: 7. `ksetup /MapUser <username>@NETBSD.ORG "%USERNAME%"`
! 59:
! 60: This may or may not be on the right track. Don't know how to `kinit <username@NETBSD.ORG>` yet.
! 61: """]]
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb
![[BACK]](/icons/back.gif){kind=icon}
Return to system.mdwn CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [NetBSD Developer Wiki] / wikisrc / kerberos