kerberosiv.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<p>We now have to add some user entries into the database. First let us create an entry
for the user <tt class="USERNAME">jane</tt>. Use the <tt class="COMMAND">kdb_edit</tt>
command to do this:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kdb_edit</kbd>
Opening database...

<samp class="PROMPT">Enter Kerberos master key:</samp>

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.

<samp class="PROMPT">Principal name:</samp> <kbd class="USERINPUT">jane</kbd>
<samp class="PROMPT">Instance:</samp>

&lt;Not found&gt;, <samp class="PROMPT">Create [y] ?</samp> <kbd
class="USERINPUT">y</kbd>

Principal: jane, Instance: , kdc_key_ver: 1
<samp
class="PROMPT">New Password:</samp>                &lt;---- enter a secure password here
Verifying password

<samp
class="PROMPT">New Password:</samp>                &lt;---- re-enter the password here
Principal's new key version = 1
<samp class="PROMPT">Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</samp>
<samp class="PROMPT">Max ticket lifetime (*5 minutes) [ 255 ] ?</samp>
<samp class="PROMPT">Attributes [ 0 ] ?</samp>
Edit O.K.
<samp
class="PROMPT">Principal name:</samp>          &lt;---- null entry here will cause an exit
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11369" name="AEN11369">10.6.6. Testing It All Out</a></h2>

<p>First we have to start the Kerberos daemons. Note that if you have correctly edited
your <tt class="FILENAME">/etc/rc.conf</tt> then this will happen automatically when you
reboot. This is only necessary on the Kerberos server. Kerberos clients will
automatically get what they need from the <tt class="FILENAME">/etc/kerberosIV</tt>
directory.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kerberos &amp;</kbd>
Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.

Master key entered. BEWARE!

Current Kerberos master key version is 1
Local realm: EXAMPLE.COM
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kadmind -n &amp;</kbd>
KADM Server KADM0.0A initializing
Please do not use 'kill -9' to kill this job, use a
regular kill instead

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
</pre>

<p>Now we can try using the <tt class="COMMAND">kinit</tt> command to get a ticket for
the ID <tt class="USERNAME">jane</tt> that we created above:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">kinit jane</kbd>
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane"
<samp class="PROMPT">Password:</samp>
</pre>

<p>Try listing the tokens using <tt class="COMMAND">klist</tt> to see if we really have
them:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">klist</kbd>
Ticket file:    /tmp/tkt245
Principal:      jane@EXAMPLE.COM

  Issued           Expires          Principal
Apr 30 11:23:22  Apr 30 19:23:22  krbtgt.EXAMPLE.COM@EXAMPLE.COM
</pre>

<p>Now try changing the password using <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">passwd</span>(1)</span> to check if the <b
class="APPLICATION">kpasswd</b> daemon can get authorization to the Kerberos
database:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">passwd</kbd>
realm EXAMPLE.COM
<samp class="PROMPT">Old password for jane:</samp>
<samp class="PROMPT">New Password for jane:</samp>
Verifying password
<samp class="PROMPT">New Password for jane:</samp>
Password changed.
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11402" name="AEN11402">10.6.7. Adding <tt
class="COMMAND">su</tt> Privileges</a></h2>

<p>Kerberos allows us to give <span class="emphasis"><i class="EMPHASIS">each</i></span>
user who needs <tt class="USERNAME">root</tt> privileges their own <span
class="emphasis"><i class="EMPHASIS">separate</i></span> <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">su</span>(1)</span> password. We could now add an ID which is
authorized to <span class="CITEREFENTRY"><span class="REFENTRYTITLE">su</span>(1)</span>
to <tt class="USERNAME">root</tt>. This is controlled by having an instance of <tt
class="USERNAME">root</tt> associated with a principal. Using <tt
class="COMMAND">kdb_edit</tt> we can create the entry <var
class="LITERAL">jane.root</var> in the Kerberos database:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kdb_edit</kbd>
Opening database...

<samp class="PROMPT">Enter Kerberos master key:</samp>

Current Kerberos master key version is 1.

Master key entered.  BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.

<samp class="PROMPT">Principal name:</samp> <kbd class="USERINPUT">jane</kbd>
<samp class="PROMPT">Instance:</samp> <kbd class="USERINPUT">root</kbd>

&lt;Not found&gt;, Create [y] ? y

Principal: jane, Instance: root, kdc_key_ver: 1
<samp
class="PROMPT">New Password:</samp>                    &lt;---- enter a SECURE password here
Verifying password

<samp class="PROMPT">New Password:</samp>            &lt;---- re-enter the password here

Principal's new key version = 1
<samp class="PROMPT">Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?</samp>
<samp class="PROMPT">Max ticket lifetime (*5 minutes) [ 255 ] ?</samp> <kbd
class="USERINPUT">12</kbd> &lt;--- Keep this short!
<samp class="PROMPT">Attributes [ 0 ] ?</samp>
Edit O.K.
<samp
class="PROMPT">Principal name:</samp>                &lt;---- null entry here will cause an exit
</pre>

<p>Now try getting tokens for it to make sure it works:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">kinit jane.root</kbd>
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane.root"
<samp class="PROMPT">Password:</samp>
</pre>

<p>Now we need to add the user to <tt class="USERNAME">root</tt>'s <tt
class="FILENAME">.klogin</tt> file:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cat /root/.klogin</kbd>
jane.root@EXAMPLE.COM
</pre>

<p>Now try doing the <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">su</span>(1)</span>:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">su</kbd>
<samp class="PROMPT">Password:</samp>
</pre>

<p>and take a look at what tokens we have:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">klist</kbd>
Ticket file:    /tmp/tkt_root_245
Principal:      jane.root@EXAMPLE.COM

  Issued           Expires          Principal
May  2 20:43:12  May  3 04:43:12  krbtgt.EXAMPLE.COM@EXAMPLE.COM
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11457" name="AEN11457">10.6.8. Using Other Commands</a></h2>

<p>In an earlier example, we created a principal called <var class="LITERAL">jane</var>
with an instance <var class="LITERAL">root</var>. This was based on a user with the same
name as the principal, and this is a Kerberos default; that a <var
class="LITERAL">&lt;principal&gt;.&lt;instance&gt;</var> of the form <var
class="LITERAL">&lt;username&gt;.</var><tt class="USERNAME">root</tt> will allow that
<var class="LITERAL">&lt;username&gt;</var> to <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">su</span>(1)</span> to <tt class="USERNAME">root</tt> if the
necessary entries are in the <tt class="FILENAME">.klogin</tt> file in <tt
class="USERNAME">root</tt>'s home directory:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cat /root/.klogin</kbd>
jane.root@EXAMPLE.COM
</pre>

<p>Likewise, if a user has in their own home directory lines of the form:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">cat ~/.klogin</kbd>
jane@EXAMPLE.COM
jack@EXAMPLE.COM
</pre>

<p>This allows anyone in the <var class="LITERAL">EXAMPLE.COM</var> realm who has
authenticated themselves as <tt class="USERNAME">jane</tt> or <tt
class="USERNAME">jack</tt> (via <tt class="COMMAND">kinit</tt>, see above) to access to
<tt class="USERNAME">jane</tt>'s account or files on this system (<tt
class="HOSTID">grunt</tt>) via <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">rlogin</span>(1)</span>, <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">rsh</span>(1)</span> or <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">rcp</span>(1)</span>.</p>

<p>For example, <tt class="USERNAME">jane</tt> now logs into another system using
Kerberos:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">kinit</kbd>
MIT Project Athena (grunt.example.com)
<samp class="PROMPT">Password:</samp>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">rlogin grunt</kbd>
Last login: Mon May  1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.   All rights reserved.

FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
</pre>

<p>Or <tt class="USERNAME">jack</tt> logs into <tt class="USERNAME">jane</tt>'s account
on the same machine (<tt class="USERNAME">jane</tt> having set up the <tt
class="FILENAME">.klogin</tt> file as above, and the person in charge of Kerberos having
set up principal <span class="emphasis"><i class="EMPHASIS">jack</i></span> with a null
instance):</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">kinit</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">rlogin grunt -l jane</kbd>
MIT Project Athena (grunt.example.com)
<samp class="PROMPT">Password:</samp>
Last login: Mon May  1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.   All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
</pre>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="one-time-passwords.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="kerberos5.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">One-time Passwords</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top"><b class="APPLICATION">Kerberos5</b></td>
</tr>
</table>
</div>
</body>
</html>