Difference between revisions of "Drift/Kerberos"

From Programvareverkstedet
Jump to: navigation, search
Line 1: Line 1:
 +
== Nye kerberos-klienter ==
 +
 +
Legg til host principal
 +
 +
<pre><nowiki>
 +
knuta@kvikk ~ $ kadmin -p knuta/admin
 +
kadmin> add --random-key host/berners-lee.pvv.ntnu.no
 +
Max ticket life [1 day]:
 +
Max renewable life [1 week]:
 +
Principal expiration time [never]:
 +
Password expiration time [never]:
 +
Attributes [requires-pre-auth]:
 +
</nowiki></pre>
 +
 +
Logg inn på maskinen.
 +
 +
installer heimdal:
 +
<pre><nowiki>
 +
berners-lee:~# aptitude install heimdal-clients
 +
</nowiki></pre>
 +
 +
last ned keytab
 +
<pre><nowiki>
 +
berners-lee:~# ktutil get -p knuta/admin host/berners-lee.pvv.ntnu.no
 +
</nowiki></pre>
 +
 +
Konfigurer pam. Oppsettet kan for eksempel se slik ut på en debian-maskin:
 +
/etc/pam.d/common-account:<pre><nowiki>
 +
account required        pam_krb5.so    minimum_uid=1000
 +
account required        pam_unix.so
 +
</nowiki></pre>
 +
 +
/etc/pam.d/common-auth:<pre><nowiki>
 +
auth    sufficient      pam_krb5.so    minimum_uid=1000
 +
auth    required        pam_unix.so nullok_secure
 +
</nowiki></pre>
 +
 +
/etc/pam.d/common-password:<pre><nowiki>
 +
# NB! Sjekk denne, den ser litt feil ut!
 +
password        sufficient      pam_krb5.so    minimum_uid=1000
 +
password  required  pam_unix.so nullok obscure md5
 +
</nowiki></pre>
 +
 +
/etc/pam.d/common-session:<pre><nowiki>
 +
session optional        pam_krb5.so    minimum_uid=1000
 +
session required        pam_unix.so
 +
</nowiki></pre>
 +
 
== Installasjon av KDC ==
 
== Installasjon av KDC ==
  
Line 72: Line 120:
 
[kadmin]
 
[kadmin]
 
default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt
 
default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt
</nowiki></pre>
 
 
== Nye bokser ==
 
 
Legg til host principal
 
 
<pre><nowiki>
 
kadmin> add --random-key host/berners-lee.pvv.ntnu.no
 
Max ticket life [1 day]:
 
Max renewable life [1 week]:
 
Principal expiration time [never]:
 
Password expiration time [never]:
 
Attributes [requires-pre-auth]:
 
</nowiki></pre>
 
 
Logg inn på maskinen.
 
 
installer heimdal:
 
<pre><nowiki>
 
berners-lee:~# aptitude install heimdal-clients
 
</nowiki></pre>
 
 
last ned keytab
 
<pre><nowiki>
 
berners-lee:~# ktutil get -p knuta/admin host/berners-lee.pvv.ntnu.no
 
</nowiki></pre>
 
 
Konfigurer pam. Oppsettet kan for eksempel se slik ut på en debian-maskin:
 
/etc/pam.d/common-account:<pre><nowiki>
 
account required        pam_krb5.so    minimum_uid=1000
 
account required        pam_unix.so
 
</nowiki></pre>
 
 
/etc/pam.d/common-auth:<pre><nowiki>
 
auth    sufficient      pam_krb5.so    minimum_uid=1000
 
auth    required        pam_unix.so nullok_secure
 
</nowiki></pre>
 
 
/etc/pam.d/common-password:<pre><nowiki>
 
# NB! Sjekk denne, den ser litt feil ut!
 
password        sufficient      pam_krb5.so    minimum_uid=1000
 
password  required  pam_unix.so nullok obscure md5
 
</nowiki></pre>
 
 
/etc/pam.d/common-session:<pre><nowiki>
 
session optional        pam_krb5.so    minimum_uid=1000
 
session required        pam_unix.so
 
 
</nowiki></pre>
 
</nowiki></pre>
  
 
__NOTOC__
 
__NOTOC__

Revision as of 16:00, 9 January 2010

Nye kerberos-klienter

Legg til host principal

knuta@kvikk ~ $ kadmin -p knuta/admin
kadmin> add --random-key host/berners-lee.pvv.ntnu.no
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes [requires-pre-auth]:

Logg inn på maskinen.

installer heimdal:

berners-lee:~# aptitude install heimdal-clients

last ned keytab

berners-lee:~# ktutil get -p knuta/admin host/berners-lee.pvv.ntnu.no

Konfigurer pam. Oppsettet kan for eksempel se slik ut på en debian-maskin:

/etc/pam.d/common-account:
account required        pam_krb5.so     minimum_uid=1000
account required        pam_unix.so
/etc/pam.d/common-auth:
auth    sufficient      pam_krb5.so     minimum_uid=1000
auth    required        pam_unix.so nullok_secure
/etc/pam.d/common-password:
# NB! Sjekk denne, den ser litt feil ut!
password        sufficient      pam_krb5.so     minimum_uid=1000
password   required   pam_unix.so nullok obscure md5
/etc/pam.d/common-session:
session optional        pam_krb5.so     minimum_uid=1000
session required        pam_unix.so

Installasjon av KDC

Rediger /etc/hosts så public-ipen (f.eks. 129.241.210.168) peker på hostnavnet til kdc, ellers virker det ikke.

Installer heimdal-clients

Legg til dette i bunnen av /etc/krb5.conf for å få de riktige krypto-algoritmene:
[kadmin]
        default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt

Installer heimdal-kdc

asgard:~# kadmin -l
kadmin> init PVV.NTNU.NO
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin: create_random_entry(krbtgt/PVV.NTNU.NO@PVV.NTNU.NO): randkey failed: Principal or policy already exists
kadmin: create_random_entry(kadmin/changepw@PVV.NTNU.NO): randkey failed: Principal or policy already exists
kadmin: create_random_entry(kadmin/admin@PVV.NTNU.NO): randkey failed: Principal or policy already exists
kadmin: create_random_entry(changepw/kerberos@PVV.NTNU.NO): randkey failed: Principal or policy already exists
kadmin: create_random_entry(kadmin/hprop@PVV.NTNU.NO): randkey failed: Principal or policy already exists
kadmin: kadm5_create_principal: Principal or policy already exists
kadmin> modify -a -disallow-all-tix,requires-pre-auth default
kadmin> get default
            Principal: default@PVV.NTNU.NO
    Principal expires: never
     Password expires: never
 Last password change: 2009-06-16 18:16:07 UTC
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 1
                Mkvno: 0
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2009-06-16 18:18:43 UTC
             Modifier: kadmin/admin@PVV.NTNU.NO
           Attributes: requires-pre-auth
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt), aes128-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL: 
              Aliases: 
kadmin> add knuta/admin
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes [requires-pre-auth]:
knuta/admin@PVV.NTNU.NO's Password: 
Verifying - knuta/admin@PVV.NTNU.NO's Password: 
Rediger /etc/heimdal-kdc/kadmind.acl og legg til følgende:
knuta/admin all
Lag symlink (på grunn av en bug i heimdal-kdc):
ln -s /etc/heimdal-kdc/kadmind.acl /var/lib/heimdal-kdc/
Rediger /etc/heimdal-kdc/kdc.conf og sett følgende opsjoner:
[password_quality]
min_length = 8

[kadmin]
default_keys = aes256-cts-hmac-sha1-96:pw-salt aes128-cts-hmac-sha1-96:pw-salt des3-cbc-sha1:pw-salt arcfour-hmac-md5:pw-salt