File:  [NetBSD Developer Wiki] / wikisrc / kerberos / system.mdwn
Revision 1.3: download - view: text, annotated - select for diffs
Thu Nov 5 03:14:44 2009 UTC (12 years, 1 month ago) by wiki
Branches: MAIN
CVS tags: HEAD
web commit by schmonz: add best-guess XP instructions (incomplete)

    1: [[!tag kerberos howto]]
    2: 
    3: #### Why enable Kerberos on your system?
    4: 
    5: Convenience and security. With
    6: [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
    7: login grants access to all NetBSD web services. Configuration is easy
    8: and you only have to do it once (sometimes less).
    9: 
   10: #### [[!toggle id="macosx" text="Mac OS X"]]
   11: [[!toggleable id="macosx" text="""
   12: OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
   13: To use Kerberized TNF services, log in with your Kerberos [[password]]:
   14: 
   15: `$ kinit <username>@NETBSD.ORG`
   16: 
   17: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
   18: """]]
   19: 
   20: #### [[!toggle id="netbsd" text="NetBSD"]]
   21: [[!toggleable id="netbsd" text="""
   22: NetBSD needs to be configured to prevent Kerberos from being used
   23: to log into _your_ system, and then to enable Kerberos.
   24: 
   25: 7. Either disable Kerberos auth for `sshd`, `login`, etc. in
   26: `/etc/pam.d`, or tell your relevant services not to use PAM.  
   27: (Note that disabling KerberosAuthentication in `/etc/ssh/sshd_config`
   28: does NOT prevent `sshd` from invoking `pam_krb5.so` and prompting
   29: for a Kerberos password -- oops. Since you probably do not have a
   30: host key in the realm NETBSD.ORG you have little to fear from ssh's
   31: KerberosAuthentication method -- nothing can get tickets to use
   32: your machine, because there is no host instance for your machine
   33: shared between the NetBSD kerberos server and your local keytab.
   34: So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM
   35: configuration; don't worry about KerberosAuthentication or
   36: GSSAPIAuthentication in `sshd` itself.)
   37: 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
   38: 
   39: NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
   40: in DNS. To use Kerberized TNF services, log in with your Kerberos
   41: [[password]]:
   42: 
   43: `$ kinit <username>@NETBSD.ORG`
   44: 
   45: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
   46: """]]
   47: 
   48: #### [[!toggle id="windows" text="Windows XP"]]
   49: [[!toggleable id="windows" text="""
   50: Windows docs generally assume you want to add your machine to the realm and use Kerberos logins as system logins. This is not what we want.
   51: 
   52: Progress so far:
   53: 
   54: 7. Download [Windows XP Service Pack 2 Support Tools](http://www.microsoft.com/downloads/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38).
   55: 7. Install custom/full (whatever it takes to get everything installed).
   56: 7. From the Start menu, choose Run and enter `cmd` to get to the prompt.
   57: 7. `ksetup /AddKdc NETBSD.ORG`
   58: 7. `ksetup /MapUser <username>@NETBSD.ORG "%USERNAME%"`
   59: 
   60: This may or may not be on the right track. Don't know how to `kinit <username@NETBSD.ORG>` yet.
   61: """]]

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb