wikisrc/kerberos/system.mdwn - view

Return to system.mdwn CVS log

Up to [NetBSD Developer Wiki] / wikisrc / kerberos

File: [NetBSD Developer Wiki] / wikisrc / kerberos / system.mdwn
Revision 1.2: download - view: text, annotated - select for diffs
Wed Oct 21 01:15:50 2009 UTC (14 years, 1 month ago) by schmonz
Branches: MAIN
CVS tags: HEAD

Wrap lines for happy terminal editing.

    1: [[!tag kerberos howto]]
    2: 
    3: #### Why Kerberize your system?
    4: 
    5: Convenience and security. With
    6: [Kerberos](http://web.mit.edu/Kerberos/dialogue.html), a single
    7: login grants access to all NetBSD web services.
    8: 
    9: #### [[!toggle id="macosx" text="Mac OS X"]]
   10: [[!toggleable id="macosx" text="""
   11: OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS.
   12: To use Kerberized TNF services, log in with your Kerberos [[password]]:
   13: 
   14: `$ kinit <username>@NETBSD.ORG`
   15: 
   16: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
   17: """]]
   18: 
   19: #### [[!toggle id="netbsd" text="NetBSD"]]
   20: [[!toggleable id="netbsd" text="""
   21: NetBSD needs to be configured to prevent Kerberos from being used
   22: to log into _your_ system, and then to enable Kerberos.
   23: 
   24: 7. Either disable Kerberos auth for `sshd`, `login`, etc. in
   25: `/etc/pam.d`, or tell your relevant services not to use PAM.  
   26: (Note that disabling KerberosAuthentication in `/etc/ssh/sshd_config`
   27: does NOT prevent `sshd` from invoking `pam_krb5.so` and prompting
   28: for a Kerberos password -- oops. Since you probably do not have a
   29: host key in the realm NETBSD.ORG you have little to fear from ssh's
   30: KerberosAuthentication method -- nothing can get tickets to use
   31: your machine, because there is no host instance for your machine
   32: shared between the NetBSD kerberos server and your local keytab.
   33: So, the bottom line: turn off UsePAM for `sshd` or adjust your PAM
   34: configuration; don't worry about KerberosAuthentication or
   35: GSSAPIAuthentication in `sshd` itself.)
   36: 7. Create `/etc/krb5.conf` containing only the line `[libdefaults]`.
   37: 
   38: NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined
   39: in DNS. To use Kerberized TNF services, log in with your Kerberos
   40: [[password]]:
   41: 
   42: `$ kinit <username>@NETBSD.ORG`
   43: 
   44: The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!
   45: """]]

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb