Difference between revisions of "Kerberos"
From ProgClub
Line 1: | Line 1: | ||
This page details the Kerberos configuration at ProgClub. Check out [[Network administration]] for other network admin related material. See [[Single sign-on]] for other SSO related material. | This page details the Kerberos configuration at ProgClub. Check out [[Network administration]] for other network admin related material. See [[Single sign-on]] for other SSO related material. | ||
− | = Project status = | + | == Project status == |
Complete! [[Charity]] is now [[#KDC_configuration|configured]] as the KDC. We're still pending SSH integration, and there are a few more things to do for [[Single sign-on]], but [[Kerberos]] is functional. | Complete! [[Charity]] is now [[#KDC_configuration|configured]] as the KDC. We're still pending SSH integration, and there are a few more things to do for [[Single sign-on]], but [[Kerberos]] is functional. | ||
− | = DNS configuration = | + | == DNS configuration == |
See [http://web.mit.edu/Kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs Hostnames for the Master and Slave KDCs] for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows: | See [http://web.mit.edu/Kerberos/krb5-1.9/krb5-1.9.1/doc/krb5-install.html#Hostnames%20for%20the%20Master%20and%20Slave%20KDCs Hostnames for the Master and Slave KDCs] for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows: | ||
− | == progclub.org == | + | === progclub.org === |
$ORIGIN progclub.org. | $ORIGIN progclub.org. | ||
Line 18: | Line 18: | ||
_kpasswd._udp SRV 0 0 464 charity | _kpasswd._udp SRV 0 0 464 charity | ||
− | == progclub.com == | + | === progclub.com === |
$ORIGIN progclub.com. | $ORIGIN progclub.com. | ||
Line 27: | Line 27: | ||
_kpasswd._udp SRV 0 0 464 charity | _kpasswd._udp SRV 0 0 464 charity | ||
− | == progclub.info == | + | === progclub.info === |
$ORIGIN progclub.info. | $ORIGIN progclub.info. | ||
Line 36: | Line 36: | ||
_kpasswd._udp SRV 0 0 464 charity | _kpasswd._udp SRV 0 0 464 charity | ||
− | == progclub.net == | + | === progclub.net === |
$ORIGIN progclub.net. | $ORIGIN progclub.net. | ||
Line 45: | Line 45: | ||
_kpasswd._udp SRV 0 0 464 charity | _kpasswd._udp SRV 0 0 464 charity | ||
− | == progclub.co == | + | === progclub.co === |
$ORIGIN progclub.co. | $ORIGIN progclub.co. | ||
Line 54: | Line 54: | ||
_kpasswd._udp SRV 0 0 464 charity | _kpasswd._udp SRV 0 0 464 charity | ||
− | == progclub.mobi == | + | === progclub.mobi === |
$ORIGIN progclub.mobi. | $ORIGIN progclub.mobi. | ||
Line 63: | Line 63: | ||
_kpasswd._udp SRV 0 0 464 charity | _kpasswd._udp SRV 0 0 464 charity | ||
− | = KDC configuration = | + | == KDC configuration == |
The KDC (Key Distribution Centre) for ProgClub is [[Charity|charity.progclub.org]], aliased as kerberos.progclub.*. | The KDC (Key Distribution Centre) for ProgClub is [[Charity|charity.progclub.org]], aliased as kerberos.progclub.*. | ||
− | == Configuration == | + | === Configuration === |
root@charity:/etc# ll kr* | root@charity:/etc# ll kr* | ||
Line 174: | Line 174: | ||
} | } | ||
− | == Database == | + | === Database === |
root@charity:/etc# cd /var/lib/krb5kdc/ | root@charity:/etc# cd /var/lib/krb5kdc/ | ||
Line 186: | Line 186: | ||
-rw------- 1 root root 0 2011-08-05 02:55 principal.ok | -rw------- 1 root root 0 2011-08-05 02:55 principal.ok | ||
− | == Keytab files == | + | === Keytab files === |
root@charity:/var/lib/krb5kdc# cd /etc | root@charity:/var/lib/krb5kdc# cd /etc | ||
root@charity:/etc# find -name "*.keytab" | root@charity:/etc# find -name "*.keytab" | ||
./apache2/apache2.keytab | ./apache2/apache2.keytab |
Revision as of 22:30, 9 August 2011
This page details the Kerberos configuration at ProgClub. Check out Network administration for other network admin related material. See Single sign-on for other SSO related material.
Project status
Complete! Charity is now configured as the KDC. We're still pending SSH integration, and there are a few more things to do for Single sign-on, but Kerberos is functional.
DNS configuration
See Hostnames for the Master and Slave KDCs for information about configuring DNS for Kerberos. ProgClub's DNS configuration for Kerberos is as follows:
progclub.org
$ORIGIN progclub.org. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.com
$ORIGIN progclub.com. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.info
$ORIGIN progclub.info. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.net
$ORIGIN progclub.net. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.co
$ORIGIN progclub.co. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
progclub.mobi
$ORIGIN progclub.mobi. _kerberos TXT "PROGCLUB.ORG" kerberos CNAME charity _kerberos._udp SRV 0 0 88 charity _kerberos-adm._tcp SRV 0 0 749 charity _kpasswd._udp SRV 0 0 464 charity
KDC configuration
The KDC (Key Distribution Centre) for ProgClub is charity.progclub.org, aliased as kerberos.progclub.*.
Configuration
root@charity:/etc# ll kr* -rw-r--r-- 1 root root 1755 2011-08-05 02:36 krb5.conf krb5kdc: total 20 drwx------ 2 root root 4096 2011-08-04 11:57 ./ drwxr-xr-x 78 root root 4096 2011-08-05 02:37 ../ -rw-r--r-- 1 root root 353 2011-08-04 11:53 kadm5.acl -rw-r--r-- 1 root root 640 2011-08-04 11:49 kdc.conf -rw------- 1 root root 65 2011-08-04 11:57 stash
root@charity:/etc# cat krb5.conf [logging] default = FILE:/var/log/krb5.log [libdefaults] default_realm = PROGCLUB.ORG # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code are # correct and overriding these specifications only serves to disable new # encryption types as they are added, creating interoperability problems. # # Thie only time when you might need to uncomment these lines and change # the enctypes is if you have local software that will break on ticket # caches containing ticket encryption types it doesn't know about (such as # old versions of Sun Java). # default_tgs_enctypes = des3-hmac-sha1 # default_tkt_enctypes = des3-hmac-sha1 # permitted_enctypes = des3-hmac-sha1 # The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true [realms] PROGCLUB.ORG = { kdc = kerberos.progclub.org:88 admin_server = kerberos.progclub.org default_domain = progclub.org } [domain_realm] .progclub.org = PROGCLUB.ORG progclub.org = PROGCLUB.ORG .progclub.com = PROGCLUB.ORG progclub.com = PROGCLUB.ORG .progclub.info = PROGCLUB.ORG progclub.info = PROGCLUB.ORG .progclub.net = PROGCLUB.ORG progclub.net = PROGCLUB.ORG .progclub.co = PROGCLUB.ORG progclub.co = PROGCLUB.ORG .progclub.mobi = PROGCLUB.ORG progclub.mobi = PROGCLUB.ORG [login] krb4_convert = true krb4_get_tickets = false
root@charity:/etc# cat krb5kdc/kadm5.acl # This file is the access control list for krb5 administration. # When this file is edited run /etc/init.d/krb5-admin-server restart to activate # One common way to set up Kerberos administration is to allow any principal # ending in /admin is given full administrative rights. # To enable this, uncomment the following line: */admin@PROGCLUB.ORG *
root@charity:/etc# cat krb5kdc/kdc.conf [kdcdefaults] kdc_ports = 750,88 default_realm = PROGCLUB.ORG [realms] PROGCLUB.ORG = { database_name = /var/lib/krb5kdc/principal admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab acl_file = /etc/krb5kdc/kadm5.acl key_stash_file = /etc/krb5kdc/stash kdc_ports = 750,88 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des3-hmac-sha1 supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 default_principal_flags = +preauth }
Database
root@charity:/etc# cd /var/lib/krb5kdc/ root@charity:/var/lib/krb5kdc# ll total 24 drwx------ 2 root root 4096 2011-08-04 11:57 ./ drwxr-xr-x 30 root root 4096 2011-08-04 11:37 ../ -rw------- 1 root root 8192 2011-08-05 02:55 principal -rw------- 1 root root 8192 2011-08-04 11:57 principal.kadm5 -rw------- 1 root root 0 2011-08-04 11:57 principal.kadm5.lock -rw------- 1 root root 0 2011-08-05 02:55 principal.ok
Keytab files
root@charity:/var/lib/krb5kdc# cd /etc root@charity:/etc# find -name "*.keytab" ./apache2/apache2.keytab