Return to system.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc / kerberos

Annotation of wikisrc/kerberos/system.mdwn, revision 1.5

1.1       schmonz     1: [[!tag kerberos howto]]
                      2: 
1.3       wiki        3: #### Why enable Kerberos on your system?
1.1       schmonz     4: 
1.2       schmonz     5: Convenience and security. With
                      6: [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
1.3       wiki        7: login grants access to all NetBSD web services. Configuration is easy
                      8: and you only have to do it once (sometimes less).
1.1       schmonz     9: 
                     10: #### [[!toggle id="macosx" text="Mac OS X"]]
                     11: [[!toggleable id="macosx" text="""
1.2       schmonz    12: OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
                     13: To use Kerberized TNF services, log in with your Kerberos [[password]]:
1.1       schmonz    14: 
                     15: `$ kinit <username>@NETBSD.ORG`
                     16: 
                     17: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
1.5     ! schmonz    18: 
        !            19: ##### A Keychain trick
        !            20: 
        !            21: To pop up a GUI password dialog:
        !            22: 
        !            23: `$ kinit <username>@NETBSD.ORG </dev/null`
        !            24: 
        !            25: Check "Remember this password in my keychain" to simplify future
        !            26: logins down to a one-word, prompt-free command:
        !            27: 
        !            28: `$ kinit`
1.1       schmonz    29: """]]
                     30: 
                     31: #### [[!toggle id="netbsd" text="NetBSD"]]
                     32: [[!toggleable id="netbsd" text="""
1.2       schmonz    33: NetBSD needs to be configured to prevent Kerberos from being used
                     34: to log into _your_ system, and then to enable Kerberos.
1.1       schmonz    35: 
1.2       schmonz    36: 7. Either disable Kerberos auth for `sshd`, `login`, etc. in
1.4       wiki       37: `/etc/pam.d`, or tell your relevant services not to use PAM.
                     38: 
                     39:    /!\ Disabling KerberosAuthentication in `/etc/ssh/sshd_config` does **NOT** prevent `sshd` from invoking `pam_krb5.so` and prompting for a Kerberos password -- oops. Since you probably do not have a host key in the realm NETBSD.ORG you have little to fear from ssh's KerberosAuthentication method -- nothing can get tickets to use your machine, because there is no host instance for your machine shared between the NetBSD kerberos server and your local keytab. So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM configuration; don't worry about KerberosAuthentication or GSSAPIAuthentication in `sshd` itself.
                     40: 
1.1       schmonz    41: 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
                     42: 
1.2       schmonz    43: NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
                     44: in DNS. To use Kerberized TNF services, log in with your Kerberos
                     45: [[password]]:
1.1       schmonz    46: 
                     47: `$ kinit <username>@NETBSD.ORG`
                     48: 
                     49: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
                     50: """]]
1.3       wiki       51: 
                     52: #### [[!toggle id="windows" text="Windows XP"]]
                     53: [[!toggleable id="windows" text="""
                     54: 
1.4       wiki       55: Windows does not provide an easy way to configure and use KDCs different from the one embedded into an Active Directory.
                     56: 
                     57: Therefore, to use [[Kerberos]], you should follow the following steps:
                     58: 
                     59: 7. Download the [MIT Kerberos for Windows](http://web.mit.edu/Kerberos/dist/#kfw-3.2) installer. It is composed of different tools traditionally found with Kerberos distributions, like [[!template id=man name=kinit section=1]] or [[!template id=man name=klist section=1]], and a Network Identity Manager, an application used to manage credential caching of Kerberos tickets.
                     60: 
                     61: 7. Install the package. Use the default provided options, then restart the computer.
                     62: 
                     63: 7. The Network Identity Manager [(PDF)](http://web.mit.edu/kerberos/kfw-3.2/kfw-3.2.2/netidmgr_userdoc.pdf) should automatically start when you login. As there is no principal currently configured, it should open a dialog box to obtain the new credentials.
                     64: 
                     65: 7. Enter your principal:
                     66: 
                     67:         Username: <username>
                     68:         Realm: NETBSD.ORG
1.3       wiki       69: 
1.4       wiki       70: 7. Click `Ok`. After a few seconds, it should obtain the TGT for you from NetBSD.ORG KDC.
1.3       wiki       71: 
                     72: """]]