142
Chapter 10. Kerberos
Once you have completed the steps listed above, the Kerberos server should be up and running. Next,
we will set up a Kerberos client.
10.7. Configuring a Kerberos 5 Client
Setting up a Kerberos 5 client is less involved than setting up a server. At minimum, install the client
packages and provide each client with a valid
krb5.conf
configuration file. Kerberized versions of
rsh
and
rlogin
will also require some configuration changes.
1. Be sure that you have time synchronization in place between the Kerberos client and KDC.
See Section 10.6 for more information. In addition, verify that DNS is working properly on the
Kerberos client before configuring the Kerberos client programs.
2. Install the
krb5 libs
and
krb5 workstation
packages on all of the client machines. You
must supply a version of
/etc/krb5.conf
for each client; usually this can be the same
krb5.conf
used by the KDC.
3. Before a workstation in the realm can allow users to connect using kerberized
rsh
and
rlogin
,
that workstation will need to have the
xinetd
package installed and have its own host principal
in the Kerberos database. The
kshd
and
klogind
server programs will also need access to the
keys for their service's principal.
Using
kadmin
, add a host principal for the workstation on the KDC. The instance in this case
will be the hostname of the workstation. You can use the
randkey
option to kadmin's
ad
dprinc
command on the KDC to create the principal and assign it a random key:
addprinc randkey host/blah.example.com
Now that you have created the principal, you can extract the keys for the workstation by running
kadmin
on the workstation itself , and using the
ktadd
command within
kadmin
:
ktadd k /etc/krb5.keytab host/blah.example.com
In order to use the kerberized versions of
rsh
and
rlogin
, you must enable
klogin
,
eklogin
,
and
kshell
.
1
4. Other kerberized network services will need to be started. To use kerberized
telnet
, you must
enable
krb5 telnet
.
To provide FTP access, create and extract a key for a principal with a root of ftp, with the
instance set to the hostname of the FTP server. Then enable
gssftp
.
The IMAP server included in the
imap
package will use GSS API authentication using Kerberos
5 if it finds the proper key in
/etc/krb5.keytab
. The root for the principal should be
imap
.
The CVS gserver uses a principal with a root of
cvs
and is otherwise identical to a
pserver
.
10.8. Additional Resources
For more information on Kerberos, refer to the following resources.
1. Refer to the chapter titled Controlling Access to Services in the Official Red Hat Linux Customization Guide
for details on enabling services.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved