Movatterモバイル変換

Contents

Introduction

One way to help is with Kerberos. Kerberos is an authentication and encryption scheme that allows a user to become "known" by an authenticating server and then use that authentication to access systems and services on the net. The services can then transpire in an encrypted fashion to further secure transactions occurring over the net. The philosophy behind the creation of Kerberos, and ashort summary of how it works is available, but here we assume that you know what Kerberos is, and wish to implement a Kerberos domain on your network. But, we also assume that you are not a hot-shot UNIX programmer, so we intend to lead you by the hand in a step-by-step fashion through the entire process. In other words, this is our version of "Kerberos for Dummies."

Severalcommercialintegrators provide enterprise Kerberos solutions as well as technicalsupport and maintenance.  In particular, perhaps the easiest way toinstall Kerberos V5 is to useKerbnet fromCygnussolutions. Kerbnet is free and has clients for Win32 machines, Macintoshesand Unix hosts, and has KDC software for Unix and NT as well as host serversfor Unix platforms.

Check out theMITKerberos Web Sitefor the latest Kerberos release news. Another good source of information is theKerberos FAQ compiled by Ken Hornstein.

• The server should be physically secure.
• The operating system should be up to date with all the latest patches applied.
• There should be no user accounts on the machine except for the Kerberosadministrator.
• There should as few processes as possible running on the server other thanthe Kerberos key server demons.
• You probably need additional machines to serve as alternate servers incase there is a hardware problem or a network outage.

 If anyone has questions about using MIT Kerberos 5 tools witha DCE based KDC, send a message to:
dcewg@es.net

More information on the issues involved in accessing the distributedfile systems AFS and DFS from Kerberos arediscussedby Doug Engert.

If you use the DCE based KDC, you still need to compile the MIT Kerberos5 software. But you will not run the MIT Kerberos key server (/krb5/sbin/krb5kdc)or the MIT kadmind server (/krb5/sbin/kadmind).

In these instructions, your typing is shown initalics.

. This code is prebuilt and well-documented.

Obtain the necessary code

1. Create a directory for your kerberos code.

mkdir /kerberos
cd /kerberos
2. ftp to MIT to obtain the code. It is easiest if you use your Web browser.

ftp://athena-dist.mit.edu/pub/kerberos
An alternate site for all of the software isftp://prep.ai.mit.edu/pub/kerberos.
3. In the /pub/kerberos directory, get the README.KRB5 file:
4. Read the file to find out the name of the directory containing the code(it changes periodically)

For me, this was dist/961209, but it may have changed. You must goto this directory in one step!
ftp://athena-dist.mit.edu/pub/kerberos/dist/961209
5. Retrieve all the files (in binary!). The .asc files are the digital signaturesfor the corresponding files so that you can ensure that they have beenunchanged.
6. gunzip all the files and extract them. If you do not have gunzip, you canobtain it from the same place:

ftp://athena-dist.mit.edu/pub/gnu/gzip-1.2.4.tar

Do you need more code?

To properly build the C compiler (gcc), you will first need to get andinstallbison and the gnu assembler (as). The assembler isfound in thebinutilspackage. Without the gnu assembler, I obtainednumerous warnings during the compilation procedure, all of which disappearedwhen the gnuas was used. You might also be more successful if youuse the gnumake facility. If you do not have a C library on yourmachine, you will also need to obtainglibc from the gnu distribution(this should NOT be necessary on a UNIX machine). For debugging, obtainthe gnu debugger,gdb.

It will probably take an afternoon to build all of these tools. In eachcase, installation is fairly straight forward. As root, gunzip and untareach of the above .tar.gz files and switch into the program's root directory,which is always the utility name followed by the release number. To besafe, read the INSTALL file or README file if the former does not exist.You can use gzcat to save disk space by doing both of these steps at once:

gzcat filename.tar.gz | tar -xpf -

Building the gnu tools

1. Create the Makefile by running

./configure
2. Make the program by doing

make
3. Install the utilities in /usr/local/bin by doing

make install

Building the gnu C compiler

1. In thegcc_version directory, run

./configure --with-gnu-as
2. Build the stage 1 compiler. Just typemake LANGUAGES=c in the compilerdirectory. This will take some time.
3. Copy the initial compiler build into the stage1 subdirectory by typing

make stage1
4. Copy the gnu assembler into the stage1 directory. For example,

cp /usr/local/bin/as ~/gnu/gcc-2.7.2.1/stage1/as
5. Compile the compiler with itself to make the stage 2 compiler.

make CC="stage1/xgcc -Bstage1/" CFLAGS="-g -O2" LANGUAGES="C C++"
If you do not wish to have a C++ compiler, just use LANGUAGES="C".
6. Finally, to be safe, test the compiler by compiling it with itself onemore time. Install any other necessary GNU tools (such as the gnu assembleror the GNU linker) in the `stage2' subdirectory as you did in the `stage1'subdirectory, then

make stage2
make CC="stage2/xgcc -Bstage2/" CFLAGS="-g -O2"
This is called making the stage 3 compiler. Aside from the `-B' option,the compiler options should be the same as when you made the stage 2 compiler.But the `LANGUAGES' option need not be the same. The command shown abovebuilds compilers for all the supported languages; if you don't want themall, you can specify the languages to build by typing the argument `LANGUAGES="LIST"',as described above.
7. You can compare the stage2 and stage 3 compilers (they should be identical)by running

make compare
However, I have had no luck doing this. The two stages are always quitedifferent on my machine.
8. Install the compiler driver, the compiler's passes and run-time supportwith `make install'. Use the same value for `CC', `CFLAGS' and `LANGUAGES'that you used when compiling the files that are being installed. One reasonthis is necessary is that some versions of make have bugs and recompilefiles gratuitously when you perform this step. If you use the same variablevalues, those files will be recompiled properly.

For example, if you have built the stage 2 compiler, you can use thefollowing command:
make install CC="stage2/xgcc -Bstage2/" CFLAGS="-g -O" LANGUAGES="CC++"
This should copy the files `cc1', `cpp' and `libgcc.a' to files `cc1',`cpp' and `libgcc.a' in the directory `/usr/local/lib/gcc-lib/TARGET/VERSION',which is where the compiler driver program looks for them. Here TARGETis the target machine type specified when you ran `configure', and VERSIONis the version number of GNU CC. This naming scheme permits various versionsand/or cross-compilers to coexist. This step also copies the driver program`xgcc' into `/usr/local/bin/gcc', so that it appears in typical executionsearch paths.

install-normal: install-common $(INSTALL_HEADERS) $(INSTALL_LIBGCC)\
install-libobjc install-man lang.install-normal install-driver

to eliminateinstall-info from the second line. Thengccwas successfully installed! 

It is also good to get advice from experts. So, obtain theREADMEfile from Doug Engert's ftp site at Argonne National Laboratory:

ftp://achilles.ctd.anl.gov/pub/kerberos.v5/README

For example, for myHP-UX 10 system, Doug suggests many optionsin the configure command:

../src/configure --with-cc=gcc \
--with-ccopts="-O " --prefix=/krb5\
--with-cppopts='-DANL_DCE -DAFS524 '

The prefix option places the resulting source into the directory /krb5rather than the default. In general, I had much better success gettingconfigure to work properly if I put the --prefix command near the beginningof the configure argument string rather than at the end. It shouldn't makeany difference, but it did.

ForSolaris 2.6 I used the Sun c89 compiler and make (no gnu utilities)and had no problems at all. I used the configure command:

../src/configure --with-cc=c89 \
--enable-shared \
--with-ccopts="-O "\
--with-cppopts="-DANL_DCE -DANL_AFS_PAG -DANL_DFS_PAG -DAFS524 -DNO_MOTD "\
--prefix=/krb5

ForAIX 3.2.x, I had the IBM ANSI compiler, but the build onlyworked if I used --with-cc=cc as opposed to xlc or c89. On this platform,all components built properly with the configure command:

../src/configure --with-cc=cc \
--with-ccopts="-O " \
--with-cppopts='-DANL_DCE -DAFS524 '\
--prefix=/krb5

ForAIX 4.1.3, I used the IBM (cc) compiler and the configurecommand:
../src/configure --with-cc=cc --prefix=/krb5 \
--with-cppopts='-DANL_DCE -DAFS524 -ULOGIN_CAP_F '

ForAIX 4.2 with the IBM C/C++ compiler, configure would notwork unless I used the command:
../src/configure --with-cc=cc --prefix=/krb5 \
--with-cppopts='-DANL_DCE -DAFS524 -ULOGIN_CAP_F '

However, make will fail in the /src/util/pty directory unless you editthe Makefile to remove the two switches -DHAVE_SETUTXENT=1 -DHAVE_UTMPX_H=1
Having both utmp.h and utmpx.h included causes the utmp structure tobe multiple defined, and the definition in utmpx is not the one that isneeded.

 The code for the telnetd will not compile because the includein the file src/appl/telnet/telnetd/termios-tn.c is incorrect. Change #include<termios.h>
to #include <sys/termio.h>

For all platforms

1. In the /krb5-1.0/src directory, run the above configure command.
2. Make the code by doing

make
in the src directory.
If you are using the GNU make, and have renamed it to gmake, use thecommand
gmake MAKE=gmake
3. Install Kerberos using

make install
(or gmake MAKE=gmake install)
which puts the code into /krb5, as specified by the prefix option inconfigure.

Create the configuration files

Edit these files to reflect your Kerberos domain instead of mine (dsdoe.ornl.gov).

Create the Kerberos databases

/krb5/sbin/kdb5_util create -r dsdoe.ornl.gov -s
Initializing database '/krb5/lvar/krb5kdc/principal' for realm 'dsdoe.ornl.gov',
master key name 'K/M@dsdoe.ornl.gov'

You will be prompted for the database Master Password. It is importantthat you NOT FORGET this password.

Enter KDC database master key:
your_master_key
Re-enter KDC database master key to verify:
your_master_key

Replace our domain name with yours. The-s creates a stash filewhich is used to authenticate the KDC to itself.

Create an administratorkadm5.acl file following the instructions in the Kerberosmanual. Put it in the location specified in the 'acl_file =' section ofkdc.conf.

Add your administrator(s) to the KDC database as per the manual

 /krb5:738:sbin/kadmin.local
kadmin.local:addprinc admin/admin@dsdoe.ornl.gov
Enter password for principal "admin/admin@dsdoe.ornl.gov":your_password
Re-enter password for principal "admin/admin@dsdoe.ornl.gov":your_password
Principal "admin/admin@dsdoe.ornl.gov" created./krb5/sbin/kadmin.local

Create the keytab file on the server. kadmind uses this to determinewhat access it should give to administrators. The manual is wrong here.Stay in kadmin.local and give the command:

kadmin.local:ktadd -k /krb5/var/krb5kdc/kadm5.keytab kadmin/adminkadmin/changepw
Entry for principal kadmin/admin with kvno 3, encryption type DES-CBC-CRCadded to keytab WRFILE:/krb5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption typeDES-CBC-CRC added to keytab WRFILE:/krb5/var/krb5kdc/kadm5.keytab.
kadmin.local:quit

Edit the /etc/services file to include the following kerberized servcies.This list shows all the available servcies. Your key server should onlyhave the uncommented lines on the key server machine. The other servicesare used for Kerberized hosts.

# # Kerberos (Project Athena/MIT) services
#
#kerberos 88/udp kdc # Kerberos 5 kdc
#kerberos 88/tcp kdc # Kerberos 5 kdc
#klogin 543/tcp # Kerberos rlogin -kfall
#kshell 544/tcp krcmd # Kerberos remote shell -kfall
krb5_prop 754/tcp # Kerberos v5 slave propagation
kerberos-adm 749/tcp # Kerberos v5 admin/chpwd
kerberos-adm 749/udp # Kerberos v5 admin/chpwd
#eklogin 2105/tcp # Kerberos encrypted rlogin -kfall
kpasswd 761/tcp kpwd # Kerberos "passwd" -kfall
#ktelnet 545/tcp # Kerberized telnet v4/v5
#kftp-data 546/tcp # Kerberized ftp data V5
#kftp 547/tcp # Kerberized ftp v5
#

Start the Kerberos key servers

/krb5/sbin/krb5kdc
/krb5/sbin/kadmind

If you want the two servers to start up automatically when your kdcmachine is rebooted, you need to add them to your rc.local, inittab, orinit.d or whatever your system uses to start processes at boot time.

Getting the kadmin demon to work

kadmin: Client not found in Kerberos database while initializingkadmin interface

To be able to use the kadmin interface, you need to register yourselfas a database administrator.

On the KDC machine, in kadmin.local add an administrator role for yourself:

kadmin.local:addprinc jar/admin@dsdoe.ornl.gov
Enter password for principal "jar/admin@dsdoe.ornl.gov":your_password
Re-enter password for principal "jar/admin@dsdoe.ornl.gov":your_password
Principal "jar/admin@dsdoe.ornl.gov" created.
kadmin.local:quit

Now, on a remote machine (on which you have also installed Kerberos),you can get a ticket as an administrator.

 dsrocf:/krb5/bin:./kinit jar/admin
Password for jar/admin@dsdoe.ornl.gov:your_password
dsrocf:/krb5/bin:./klist

Now you can check to see that you have the correct ticket
Ticket cache:

/tmp/krb5cc_0
Default principal: jar/admin@dsdoe.ornl.gov
Valid starting Expires Service principal
18 Dec 96 14:13:52 19 Dec 96 00:13:26 krbtgt/dsdoe.ornl.gov@dsdoe.ornl.gov

NOTE: This HP-UX machine has DCE clients installed as part ofthe operating system.BE SURE TO USE THE PROGRAMS IN THE /krb5 DIRECTORYTREE. THE DCE VERSIONS ARE NOT COMPATIBLE WITH KERBEROS V5.

Now you can access kadmin on the Kerberos server (dsroc3) from dsrocf.

dsrocf:/krb5/sbin:409: ./kadmin
Enter password:your_password
kadmin:

Tip

A very easy way to see whats going wrong is to usestrace. You cansee what the program istrying to do and where it fails. To use strace on kadmin for example: strace kadmin.