kerberos5.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Kerberos5</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="安全" href="security.html" />
<link rel="PREVIOUS" title="KerberosIV" href="kerberosiv.html" />
<link rel="NEXT" title="Firewalls" href="firewalls.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="kerberosiv.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 10. 安全</td>
<td width="10%" align="right" valign="bottom"><a href="firewalls.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="KERBEROS5" name="KERBEROS5">10.7. <b
class="APPLICATION">Kerberos5</b></a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Contributed by</span> Tillman Hodgson.</i>
<i class="AUTHORGROUP"><span class="CONTRIB">Based on a contribution by</span> Mark
Murray.</i> 

<p>Every FreeBSD release beyond FreeBSD-5.1 includes support only for <b
class="APPLICATION">Kerberos5</b>. Hence <b class="APPLICATION">Kerberos5</b> is the only
version included, and its configuration is similar in many aspects to that of <b
class="APPLICATION">KerberosIV</b>. The following information only applies to <b
class="APPLICATION">Kerberos5</b> in post FreeBSD-5.0 releases. Users who wish to use the
<b class="APPLICATION">KerberosIV</b> package may install the <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/security/krb4/pkg-descr"><tt
class="FILENAME">security/krb4</tt></a> port.</p>

<p><b class="APPLICATION">Kerberos</b> is a network add-on system/protocol that allows
users to authenticate themselves through the services of a secure server. Services such
as remote login, remote copy, secure inter-system file copying and other high-risk tasks
are made considerably safer and more controllable.</p>

<p><b class="APPLICATION">Kerberos</b> can be described as an identity-verifying proxy
system. It can also be described as a trusted third-party authentication system. <b
class="APPLICATION">Kerberos</b> provides only one function -- the secure authentication
of users on the network. It does not provide authorization functions (what users are
allowed to do) or auditing functions (what those users did). After a client and server
have used <b class="APPLICATION">Kerberos</b> to prove their identity, they can also
encrypt all of their communications to assure privacy and data integrity as they go about
their business.</p>

<p>Therefore it is highly recommended that <b class="APPLICATION">Kerberos</b> be used
with other security methods which provide authorization and audit services.</p>

<p>The following instructions can be used as a guide on how to set up <b
class="APPLICATION">Kerberos</b> as distributed for FreeBSD. However, you should refer to
the relevant manual pages for a complete description.</p>

<p>For purposes of demonstrating a <b class="APPLICATION">Kerberos</b> installation, the
various namespaces will be handled as follows:</p>

<ul>
<li>
<p>The <acronym class="ACRONYM">DNS</acronym> domain (``zone'') will be example.org.</p>
</li>

<li>
<p>The <b class="APPLICATION">Kerberos</b> realm will be EXAMPLE.ORG.</p>
</li>
</ul>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Please use real domain names when setting up <b
class="APPLICATION">Kerberos</b> even if you intend to run it internally. This avoids
<acronym class="ACRONYM">DNS</acronym> problems and assures inter-operation with other <b
class="APPLICATION">Kerberos</b> realms.</p>
</blockquote>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11561" name="AEN11561">10.7.1. History</a></h2>

<p><b class="APPLICATION">Kerberos</b> was created by <acronym
class="ACRONYM">MIT</acronym> as a solution to network security problems. The <b
class="APPLICATION">Kerberos</b> protocol uses strong cryptography so that a client can
prove its identity to a server (and vice versa) across an insecure network
connection.</p>

<p><b class="APPLICATION">Kerberos</b> is both the name of a network authentication
protocol and an adjective to describe programs that implement the program (<b
class="APPLICATION">Kerberos</b> telnet, for example). The current version of the
protocol is version 5, described in <acronym class="ACRONYM">RFC</acronym>&nbsp;1510.</p>

<p>Several free implementations of this protocol are available, covering a wide range of
operating systems. The Massachusetts Institute of Technology (<acronym
class="ACRONYM">MIT</acronym>), where <b class="APPLICATION">Kerberos</b> was originally
developed, continues to develop their <b class="APPLICATION">Kerberos</b> package. It is
commonly used in the <acronym class="ACRONYM">US</acronym> as a cryptography product, as
such it has historically been affected by <acronym class="ACRONYM">US</acronym> export
regulations. The <acronym class="ACRONYM">MIT</acronym> <b
class="APPLICATION">Kerberos</b> is available as a port (<a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/security/krb5/pkg-descr"><tt
class="FILENAME">security/krb5</tt></a>). Heimdal <b class="APPLICATION">Kerberos</b> is
another version 5 implementation, and was explicitly developed outside of the <acronym
class="ACRONYM">US</acronym> to avoid export regulations (and is thus often included in
non-commercial <span class="TRADEMARK">UNIX</span>&reg; variants). The Heimdal <b
class="APPLICATION">Kerberos</b> distribution is available as a port (<a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/security/heimdal/pkg-descr"><tt
class="FILENAME">security/heimdal</tt></a>), and a minimal installation of it is included
in the base FreeBSD install.</p>

<p>In order to reach the widest audience, these instructions assume the use of the
Heimdal distribution included in FreeBSD.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11589" name="AEN11589">10.7.2. Setting up a Heimdal <acronym
class="ACRONYM">KDC</acronym></a></h2>

<p>The Key Distribution Center (<acronym class="ACRONYM">KDC</acronym>) is the
centralized authentication service that <b class="APPLICATION">Kerberos</b> provides --
it is the computer that issues <b class="APPLICATION">Kerberos</b> tickets. The <acronym
class="ACRONYM">KDC</acronym> is considered ``trusted'' by all other computers in the <b
class="APPLICATION">Kerberos</b> realm, and thus has heightened security concerns.</p>

<p>Note that while running the <b class="APPLICATION">Kerberos</b> server requires very
few computing resources, a dedicated machine acting only as a <acronym
class="ACRONYM">KDC</acronym> is recommended for security reasons.</p>

<p>To begin setting up a <acronym class="ACRONYM">KDC</acronym>, ensure that your <tt
class="FILENAME">/etc/rc.conf</tt> file contains the correct settings to act as a
<acronym class="ACRONYM">KDC</acronym> (you may need to adjust paths to reflect your own
system):</p>

<pre class="PROGRAMLISTING">
kerberos5_server_enable="YES"
kadmind5_server_enable="YES"
kerberos_stash="YES"
</pre>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The <var class="OPTION">kerberos_stash</var> is only available in FreeBSD
4.X.</p>
</blockquote>
</div>

<p>Next we will set up your <b class="APPLICATION">Kerberos</b> config file, <tt
class="FILENAME">/etc/krb5.conf</tt>:</p>

<pre class="PROGRAMLISTING">
[libdefaults]
    default_realm = EXAMPLE.ORG
[realms]
    EXAMPLE.ORG = {
        kdc = kerberos.example.org
    }
[domain_realm]
    .example.org = EXAMPLE.ORG
</pre>

<p>Note that this <tt class="FILENAME">/etc/krb5.conf</tt> file implies that your
<acronym class="ACRONYM">KDC</acronym> will have the fully-qualified hostname of <tt
class="HOSTID">kerberos.example.org</tt>. You will need to add a CNAME (alias) entry to
your zone file to accomplish this if your <acronym class="ACRONYM">KDC</acronym> has a
different hostname.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> For large networks with a properly configured <acronym
class="ACRONYM">BIND</acronym> <acronym class="ACRONYM">DNS</acronym> server, the above
example could be trimmed to:</p>

<pre class="PROGRAMLISTING">
[libdefaults]
      default_realm = EXAMPLE.ORG
</pre>

<p>With the following lines being appended to the <tt class="HOSTID">example.org</tt>
zonefile:</p>

<pre class="PROGRAMLISTING">
_kerberos._udp      IN  SRV     01 00 88 kerberos.example.org.
_kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.
_kpasswd._udp       IN  SRV     01 00 464 kerberos.example.org.
_kerberos-adm._tcp  IN  SRV     01 00 749 kerberos.example.org.
_kerberos           IN  TXT     EXAMPLE.ORG.
</pre>
</blockquote>
</div>

<p>Next we will create the <b class="APPLICATION">Kerberos</b> database. This database
contains the keys of all principals encrypted with a master password. You are not
required to remember this password, it will be stored in a file (<tt
class="FILENAME">/var/heimdal/m-key</tt>). To create the master key, run <tt
class="COMMAND">kstash</tt> and enter a password.</p>

<p>Once the master key has been created, you can initialize the database using the <tt
class="COMMAND">kadmin</tt> program with the <var class="LITERAL">-l</var> option
(standing for ``local''). This option instructs <tt class="COMMAND">kadmin</tt> to modify
the database files directly rather than going through the <tt
class="COMMAND">kadmind</tt> network service. This handles the chicken-and-egg problem of
trying to connect to the database before it is created. Once you have the <tt
class="COMMAND">kadmin</tt> prompt, use the <tt class="COMMAND">init</tt> command to
create your realms initial database.</p>

<p>Lastly, while still in <tt class="COMMAND">kadmin</tt>, create your first principal
using the <tt class="COMMAND">add</tt> command. Stick to the defaults options for the
principal for now, you can always change them later with the <tt
class="COMMAND">modify</tt> command. Note that you can use the <var
class="LITERAL">?</var> command at any prompt to see the available options.</p>

<p>A sample database creation session is shown below:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kstash</kbd>
Master key: <kbd class="USERINPUT">xxxxxxxx</kbd>
Verifying password - Master key: <kbd class="USERINPUT">xxxxxxxx</kbd>

<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kadmin -l</kbd>
kadmin&#62; <kbd class="USERINPUT">init EXAMPLE.ORG</kbd>
Realm max ticket life [unlimited]:
kadmin&#62; <kbd class="USERINPUT">add tillman</kbd>
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Attributes []: