Updates to the Kerberos section:
- prefer sysrc to manual edits of /etc/rc.conf - Add pkg install step - provide the full path to the kadmind.acl file - Updated messages from kadmin add command - Update Heimdal wiki link I changed only minor details in the original patch to conform to our doc style and conventions. Submitted by: farhan_farhan.codes Approved by: bcr@ Differential Revision: https://reviews.freebsd.org/D23596
This commit is contained in:
Benedict Reuschling
parent
0f691ba726
commit
c3450d7ed5
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=54114
1 changed files with 31 additions and 18 deletions
|
|
@ -1207,11 +1207,16 @@ sendmail : PARANOID : deny</programlisting>
|
|||
<acronym>KDC</acronym> is recommended for security
|
||||
reasons.</para>
|
||||
|
||||
<para>To begin setting up a <acronym>KDC</acronym>, add these
|
||||
lines to <filename>/etc/rc.conf</filename>:</para>
|
||||
<para>To begin, install the <package>security/heimdal</package>
|
||||
package as follows:</para>
|
||||
|
||||
<programlisting>kdc_enable="YES"
|
||||
kadmind_enable="YES"</programlisting>
|
||||
<screen>&prompt.root; <userinput>pkg install heimdal</userinput></screen>
|
||||
|
||||
<para>Next, update <filename>/etc/rc.conf</filename> using
|
||||
<command>sysrc</command> as follows:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>sysrc kdc_enable=yes</userinput>
|
||||
&prompt.root; <userinput>sysrc kadmind_enable=yes</userinput></screen>
|
||||
|
||||
<para>Next, edit <filename>/etc/krb5.conf</filename> as
|
||||
follows:</para>
|
||||
|
|
@ -1295,24 +1300,31 @@ Realm max ticket life [unlimited]:</screen>
|
|||
<para>Lastly, while still in <command>kadmin</command>, create
|
||||
the first principal using <command>add</command>. Stick to
|
||||
the default options for the principal for now, as these can be
|
||||
changed later with <command>modify</command>. Type
|
||||
<literal>?</literal> at the prompt to see the available
|
||||
<command>kadmin</command>, using the <command>add</command>.
|
||||
Stick to the default options for the admin principal for now,
|
||||
as these can be changed later with <command>modify</command>.
|
||||
Type <literal>?</literal> at the prompt to see the available
|
||||
options.</para>
|
||||
|
||||
<screen>kadmin> <userinput>add <replaceable>tillman</replaceable></userinput>
|
||||
<screen>kadmin> <userinput>add tillman</userinput>
|
||||
Max ticket life [unlimited]:
|
||||
Max renewable life [unlimited]:
|
||||
Principal expiration time [never]:
|
||||
Password expiration time [never]:
|
||||
Attributes []:
|
||||
Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput>
|
||||
Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen>
|
||||
|
||||
<para>Next, start the <acronym>KDC</acronym> services by running
|
||||
<command>service kdc start</command> and
|
||||
<command>service kadmind start</command>. While there will
|
||||
not be any kerberized daemons running at this point, it is
|
||||
possible to confirm that the <acronym>KDC</acronym> is
|
||||
functioning by obtaining a ticket for the
|
||||
principal that was just created:</para>
|
||||
<para>Next, start the <acronym>KDC</acronym> services by
|
||||
running:</para>
|
||||
|
||||
<screen>&prompt.root; <userinput>service kdc start</userinput>
|
||||
&prompt.root; <userinput>service kadmind start</userinput></screen>
|
||||
|
||||
<para>While there will not be any kerberized daemons running at
|
||||
this point, it is possible to confirm that the
|
||||
<acronym>KDC</acronym> is functioning by obtaining a ticket
|
||||
for the principle that was just created:</para>
|
||||
|
||||
<screen>&prompt.user; <userinput>kinit <replaceable>tillman</replaceable></userinput>
|
||||
tillman@EXAMPLE.ORG's Password:</screen>
|
||||
|
|
@ -1380,8 +1392,9 @@ Aug 27 15:37:58 2013 Aug 28 01:37:58 2013 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG</scre
|
|||
<command>kadmin</command> will prompt for the password to get
|
||||
a fresh ticket. The principal authenticating to the kadmin
|
||||
service must be permitted to use the <command>kadmin</command>
|
||||
interface, as specified in <filename>kadmind.acl</filename>.
|
||||
See the section titled <quote>Remote administration</quote> in
|
||||
interface, as specified in
|
||||
<filename>/var/heimdal/kadmind.acl</filename>. See the
|
||||
section titled <quote>Remote administration</quote> in
|
||||
<command>info heimdal</command> for details on designing
|
||||
access control lists. Instead of enabling remote
|
||||
<command>kadmin</command> access, the administrator could
|
||||
|
|
@ -1756,8 +1769,8 @@ kadmind_enable="YES"</programlisting>
|
|||
|
||||
<listitem>
|
||||
<para><link
|
||||
xlink:href="https://www.h5l.org/">Heimdal
|
||||
<application>Kerberos</application> home
|
||||
xlink:href="https://github.com/heimdal/heimdal/wiki">Heimdal
|
||||
<application>Kerberos</application> project wiki
|
||||
page</link></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
|
|
|||
Loading…
Reference in a new issue