1: [[!tag kerberos howto]]
2:
3: #### Why enable Kerberos on your system?
4:
5: Convenience and security. With
6: [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
7: login grants access to all NetBSD web services. Configuration is easy
8: and you only have to do it once (sometimes less).
9:
10: #### [[!toggle id="macosx" text="Mac OS X"]]
11: [[!toggleable id="macosx" text="""
12: OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
13: To use Kerberized TNF services, log in with your Kerberos [[password]]:
14:
15: `$ kinit <username>@NETBSD.ORG`
16:
17: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
18: """]]
19:
20: #### [[!toggle id="netbsd" text="NetBSD"]]
21: [[!toggleable id="netbsd" text="""
22: NetBSD needs to be configured to prevent Kerberos from being used
23: to log into _your_ system, and then to enable Kerberos.
24:
25: 7. Either disable Kerberos auth for `sshd`, `login`, etc. in
26: `/etc/pam.d`, or tell your relevant services not to use PAM.
27: (Note that disabling KerberosAuthentication in `/etc/ssh/sshd_config`
28: does NOT prevent `sshd` from invoking `pam_krb5.so` and prompting
29: for a Kerberos password -- oops. Since you probably do not have a
30: host key in the realm NETBSD.ORG you have little to fear from ssh's
31: KerberosAuthentication method -- nothing can get tickets to use
32: your machine, because there is no host instance for your machine
33: shared between the NetBSD kerberos server and your local keytab.
34: So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM
35: configuration; don't worry about KerberosAuthentication or
36: GSSAPIAuthentication in `sshd` itself.)
37: 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
38:
39: NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
40: in DNS. To use Kerberized TNF services, log in with your Kerberos
41: [[password]]:
42:
43: `$ kinit <username>@NETBSD.ORG`
44:
45: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
46: """]]
47:
48: #### [[!toggle id="windows" text="Windows XP"]]
49: [[!toggleable id="windows" text="""
50: Windows docs generally assume you want to add your machine to the realm and use Kerberos logins as system logins. This is not what we want.
51:
52: Progress so far:
53:
54: 7. Download [Windows XP Service Pack 2 Support Tools](http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38).
55: 7. Install custom/full (whatever it takes to get everything installed).
56: 7. From the Start menu, choose Run and enter `cmd` to get to the prompt.
57: 7. `ksetup /AddKdc NETBSD.ORG`
58: 7. `ksetup /MapUser <username>@NETBSD.ORG "%USERNAME%"`
59:
60: This may or may not be on the right track. Don't know how to `kinit <username@NETBSD.ORG>` yet.
61: """]]
CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb