kerberosiv.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>KerberosIV</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="安全" href="security.html" />
<link rel="PREVIOUS" title="One-time Passwords" href="one-time-passwords.html" />
<link rel="NEXT" title="Kerberos5" href="kerberos5.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="one-time-passwords.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 10. 安全</td>
<td width="10%" align="right" valign="bottom"><a href="kerberos5.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="KERBEROSIV" name="KERBEROSIV">10.6. KerberosIV</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Contributed by</span> Mark Murray.</i> <i
class="AUTHORGROUP"><span class="CONTRIB">Based on a contribution by</span> Mark
Dapoz.</i> 

<p>Kerberos is a network add-on system/protocol that allows users to authenticate
themselves through the services of a secure server. Services such as remote login, remote
copy, secure inter-system file copying and other high-risk tasks are made considerably
safer and more controllable.</p>

<p>The following instructions can be used as a guide on how to set up Kerberos as
distributed for FreeBSD. However, you should refer to the relevant manual pages for a
complete description.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11201" name="AEN11201">10.6.1. Installing KerberosIV</a></h2>

<p>Kerberos is an optional component of FreeBSD. The easiest way to install this software
is by selecting the <var class="LITERAL">krb4</var> or <var class="LITERAL">krb5</var>
distribution in <b class="APPLICATION">sysinstall</b> during the initial installation of
FreeBSD. This will install the ``eBones'' (KerberosIV) or ``Heimdal'' (Kerberos5)
implementation of Kerberos. These implementations are included because they are developed
outside the USA/Canada and were thus available to system owners outside those countries
during the era of restrictive export controls on cryptographic code from the USA.</p>

<p>Alternatively, the MIT implementation of Kerberos is available from the ports
collection as <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/security/krb5/pkg-descr"><tt
class="FILENAME">security/krb5</tt></a>.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11216" name="AEN11216">10.6.2. Creating the Initial
Database</a></h2>

<p>This is done on the Kerberos server only. First make sure that you do not have any old
Kerberos databases around. You should change to the directory <tt
class="FILENAME">/etc/kerberosIV</tt> and check that only the following files are
present:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /etc/kerberosIV</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ls</kbd>
README      krb.conf        krb.realms
</pre>

<p>If any additional files (such as <tt class="FILENAME">principal.*</tt> or <tt
class="FILENAME">master_key</tt>) exist, then use the <tt
class="COMMAND">kdb_destroy</tt> command to destroy the old Kerberos database, or if
Kerberos is not running, simply delete the extra files.</p>

<p>You should now edit the <tt class="FILENAME">krb.conf</tt> and <tt
class="FILENAME">krb.realms</tt> files to define your Kerberos realm. In this case the
realm will be <var class="LITERAL">EXAMPLE.COM</var> and the server is <tt
class="HOSTID">grunt.example.com</tt>. We edit or create the <tt
class="FILENAME">krb.conf</tt> file:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cat krb.conf</kbd>
EXAMPLE.COM
EXAMPLE.COM grunt.example.com admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.gov
</pre>

<p>In this case, the other realms do not need to be there. They are here as an example of
how a machine may be made aware of multiple realms. You may wish to not include them for
simplicity.</p>

<p>The first line names the realm in which this system works. The other lines contain
realm/host entries. The first item on a line is a realm, and the second is a host in that
realm that is acting as a ``key distribution center''. The words <var
class="LITERAL">admin server</var> following a host's name means that host also provides
an administrative database server. For further explanation of these terms, please consult
the Kerberos manual pages.</p>

<p>Now we have to add <tt class="HOSTID">grunt.example.com</tt> to the <var
class="LITERAL">EXAMPLE.COM</var> realm and also add an entry to put all hosts in the <tt
class="HOSTID">.example.com</tt> domain in the <var class="LITERAL">EXAMPLE.COM</var>
realm. The <tt class="FILENAME">krb.realms</tt> file would be updated as follows:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cat krb.realms</kbd>
grunt.example.com EXAMPLE.COM
.example.com EXAMPLE.COM
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDU
</pre>

<p>Again, the other realms do not need to be there. They are here as an example of how a
machine may be made aware of multiple realms. You may wish to remove them to simplify
things.</p>

<p>The first line puts the <span class="emphasis"><i class="EMPHASIS">specific</i></span>
system into the named realm. The rest of the lines show how to default systems of a
particular subdomain to a named realm.</p>

<p>Now we are ready to create the database. This only needs to run on the Kerberos server
(or Key Distribution Center). Issue the <tt class="COMMAND">kdb_init</tt> command to do
this:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kdb_init</kbd>
<samp class="PROMPT">Realm name [default  ATHENA.MIT.EDU ]:</samp> <kbd
class="USERINPUT">EXAMPLE.COM</kbd>
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.

<samp class="PROMPT">Enter Kerberos master key:</samp>
</pre>

<p>Now we have to save the key so that servers on the local machine can pick it up. Use
the <tt class="COMMAND">kstash</tt> command to do this:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kstash</kbd>

<samp class="PROMPT">Enter Kerberos master key:</samp>

Current Kerberos master key version is 1.

Master key entered. BEWARE!
</pre>

<p>This saves the encrypted master password in <tt
class="FILENAME">/etc/kerberosIV/master_key</tt>.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11270" name="AEN11270">10.6.3. Making It All Run</a></h2>

<p>Two principals need to be added to the database for <span class="emphasis"><i
class="EMPHASIS">each</i></span> system that will be secured with Kerberos. Their names
are <var class="LITERAL">kpasswd</var> and <var class="LITERAL">rcmd</var>. These two
principals are made for each system, with the instance being the name of the individual
system.</p>

<p>These daemons, <b class="APPLICATION">kpasswd</b> and <b class="APPLICATION">rcmd</b>
allow other systems to change Kerberos passwords and run commands like <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">rcp</span>(1)</span>, <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">rlogin</span>(1)</span> and <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">rsh</span>(1)</span>.</p>

<p>Now let us add these entries:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kdb_edit</kbd>
Opening database...

<samp class="PROMPT">Enter Kerberos master key:</samp>

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.

<samp class="PROMPT">Principal name:</samp> <kbd class="USERINPUT">passwd</kbd>
<samp class="PROMPT">Instance:</samp> <kbd class="USERINPUT">grunt</kbd>

&lt;Not found&gt;, <samp class="PROMPT">Create [y] ?</samp> <kbd
class="USERINPUT">y</kbd>

Principal: passwd, Instance: grunt, kdc_key_ver: 1
<samp class="PROMPT">New Password:</samp>                    &lt;---- enter RANDOM here
Verifying password

<samp class="PROMPT">New Password:</samp> &lt;---- enter RANDOM here

<samp class="PROMPT">Random password [y] ?</samp> <kbd class="USERINPUT">y</kbd>

Principal's new key version = 1
<samp class="PROMPT">Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</samp>
<samp class="PROMPT">Max ticket lifetime (*5 minutes) [ 255 ] ?</samp>
<samp class="PROMPT">Attributes [ 0 ] ?</samp>
Edit O.K.
<samp class="PROMPT">Principal name:</samp> <kbd class="USERINPUT">rcmd</kbd>
<samp class="PROMPT">Instance:</samp> <kbd class="USERINPUT">grunt</kbd>

&lt;Not found&gt;, <samp class="PROMPT">Create [y] ?</samp>

Principal: rcmd, Instance: grunt, kdc_key_ver: 1
<samp class="PROMPT">New Password:</samp>       &lt;---- enter RANDOM here
Verifying password

<samp class="PROMPT">New Password:</samp>           &lt;---- enter RANDOM here

<samp class="PROMPT">Random password [y] ?</samp>

Principal's new key version = 1
<samp class="PROMPT">Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</samp>
<samp class="PROMPT">Max ticket lifetime (*5 minutes) [ 255 ] ?</samp>
<samp class="PROMPT">Attributes [ 0 ] ?</samp>
Edit O.K.
<samp
class="PROMPT">Principal name:</samp>         &lt;---- null entry here will cause an exit
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11321" name="AEN11321">10.6.4. Creating the Server
File</a></h2>

<p>We now have to extract all the instances which define the services on each machine.
For this we use the <tt class="COMMAND">ext_srvtab</tt> command. This will create a file
which must be copied or moved <span class="emphasis"><i class="EMPHASIS">by secure
means</i></span> to each Kerberos client's <tt class="FILENAME">/etc/kerberosIV</tt>
directory. This file must be present on each server and client, and is crucial to the
operation of Kerberos.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ext_srvtab grunt</kbd>
<samp class="PROMPT">Enter Kerberos master key:</samp>

Current Kerberos master key version is 1.

Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....
</pre>

<p>Now, this command only generates a temporary file which must be renamed to <tt
class="FILENAME">srvtab</tt> so that all the servers can pick it up. Use the <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">mv</span>(1)</span> command to move it
into place on the original system:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mv grunt-new-srvtab srvtab</kbd>
</pre>

<p>If the file is for a client system, and the network is not deemed safe, then copy the
<tt class="FILENAME"><var class="REPLACEABLE">client</var>-new-srvtab</tt> to removable
media and transport it by secure physical means. Be sure to rename it to <tt
class="FILENAME">srvtab</tt> in the client's <tt class="FILENAME">/etc/kerberosIV</tt>
directory, and make sure it is mode 600:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mv grumble-new-srvtab srvtab</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">chmod 600 srvtab</kbd>
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11349" name="AEN11349">10.6.5. Populating the
Database</a></h2>