cvs commit: BLFS/BOOK/postlfs/security/heimdal heimdal-config.xml heimdal-desc.xml heimdal-exp.xml heimdal-inst.xml heimdal-intro.xml heimdal.ent

igor at linuxfromscratch.org igor at linuxfromscratch.org
Tue Apr 27 13:26:14 PDT 2004


igor        04/04/27 14:26:14

  Added:       BOOK/postlfs/security heimdal.xml
               BOOK/postlfs/security/heimdal heimdal-config.xml
                        heimdal-desc.xml heimdal-exp.xml heimdal-inst.xml
                        heimdal-intro.xml heimdal.ent
  Log:
  always forgetting to add the files...
  
  Revision  Changes    Path
  1.1                  BLFS/BOOK/postlfs/security/heimdal.xml
  
  Index: heimdal.xml
  ===================================================================
  <sect1 id="heimdal">
  <?dbhtml filename="heimdal.html" dir="postlfs"?>
  <title>Heimdal-&heimdal-version;</title>
  
  &heimdal-intro;
  &heimdal-inst;
  &heimdal-exp;
  &heimdal-config;
  &heimdal-desc;
  
  </sect1>
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/heimdal/heimdal-config.xml
  
  Index: heimdal-config.xml
  ===================================================================
  <sect2>
  <title>Configuring Heimdal</title>
  
  <sect3><title>Config files</title>
  <para><filename>/etc/heimdal/*</filename></para>
  </sect3>
  
  <sect3><title>Configuration Information</title>
  
  <para>
  Create the Kerberos configuration file with the following command:
  </para>
  
  <screen><userinput><command>cat > /etc/heimdal/krb5.conf << "EOF"</command>
  # Begin /etc/heimdal/krb5.conf
          
  [libdefaults]
      default_realm = LFS.ORG
      encrypt = true
  
  [realms]
      LFS.ORG = {
          kdc = belgarath.lfs.org
          admin_server = belgarath.lfs.org
      }
  
  [domain_realm]
      .lfs.org = LFS.ORG
  
  [logging]
      kdc = FILE:/var/log/kdc.log
      admin_server = FILE:/var/log/kadmin.log
      default = FILE:/var/log/krb.log
  
  # End /etc/heimdal/krb5.conf
  <command>EOF</command></userinput></screen>
  
  <para>
  You will need to substitute your domain and proper hostname for the
  occurances of the belgarath and lfs.org names.
  </para>
  
  <para>
  <userinput>default_realm</userinput> should be the name of your domain changed to ALL CAPS.
  This isn't required, but both Heimdal and <acronym>MIT</acronym>
  recommend it.
  </para>
  
  <para>
  <userinput>encrypt = true</userinput> provides encryption of all traffic between kerberized
  clients and servers. It's not necessary and can be left off. If you
  leave it off, you can encrypt all traffic from the client to the server
  using a switch on the client program instead.
  </para>
  
  <para>
  The <userinput>[realms]</userinput> parameters tell the client programs where to look for the
  <acronym>KDC</acronym> authentication services.
  </para>
  
  <para>
  The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
  </para>
  
  <para>
  Store the master password in a key file using the following commands:
  </para>
  
  <screen><userinput><command>install -d -m 755 /var/lib/heimdal &&
  kstash</command></userinput></screen>
  
  <para>
  Create the <acronym>KDC</acronym> database:
  </para>
  
  <screen><userinput><command>kadmin -l</command></userinput></screen>
  
  <para>
  Choose the defaults for now. You can go in later and change the
  defaults, should you feel the need. At the
  <userinput>kadmin></userinput> prompt, issue the following statement:
  </para>
  
  <screen><userinput><command>init LFS.ORG</command></userinput></screen>
  
  <para>
  Now we need to populate the database with principles (users). For now,
  just use your regular login name or root. 
  </para>
  
  <screen><userinput><command>add loginname</command></userinput></screen>
  
  <para>
  The <acronym>KDC</acronym> server and any machine running kerberized
  server daemons must have a host key installed:
  </para>
  
  <screen><userinput><command>add --random-key host/belgarath.lfs.org</command></userinput></screen>
  
  <para>
  After choosing the defaults when prompted, you will have to export the
  data to a keytab file:
  </para>
  
  <screen><userinput><command>ext host/belgarath.lfs.org</command></userinput></screen>
  
  <para>
  This should have created two files in
  <filename class="directory">/etc/heimdal</filename>;
  <filename>krb5.keytab</filename> (Kerberos 5) and
  <filename>srvtab</filename> (Kerberos 4). Both files should have 600
  (root rw only) permissions. Keeping the keytab files from public access
  is crucial to the overall security of the Kerberos installation.
  </para>
  
  <para>
  Eventually, you'll want to add server daemon principles to the database
  and extract them to the keytab file. You do this in the same way you
  created the host principles. Below is an example:
  </para>
  
  <screen><userinput><command>add --random-key ftp/belgarath.lfs.org</command></userinput></screen>
  
  <para>
  (choose the defaults)
  </para>
  
  <screen><userinput><command>ext ftp/belgarath.lfs.org</command></userinput></screen>
  
  <para>
  Exit the <command>kadmin</command> program (use <command>quit</command>
  or <command>exit</command>) and return back to the shell prompt. Start
  the <acronym>KDC</acronym> daemon manually, just to test out the 
  installation:
  </para>
  
  <screen><userinput><command>/usr/sbin/kdc &</command></userinput></screen>
  
  <para>
  Attempt to get a ticket with the following command:
  </para>
  
  <screen><userinput><command>kinit loginname</command></userinput></screen>
  
  <para>
  You will be prompted for the password you created. After you get your
  ticket, you can list it with the following command:
  </para>
  
  <screen><userinput><command>klist</command></userinput></screen>
  
  <para>
  Information about the ticket should be displayed on the screen.
  </para>
  
  <para>
  To test the functionality of the keytab file, issue the following
  command:
  </para>
  
  <screen><userinput><command>ktutil list</command></userinput></screen>
  
  <para>
  This should dump a list of the host principal, along with the encryption
  methods used to access the principal.
  </para>
  
  <para>
  At this point, if everything has been successful so far, you can feel
  fairly confident in the installation and configuration of the package.
  </para>
  
  <para>Install <filename>/etc/rc.d/init.d/heimdal</filename> init script
  included in the <xref linkend="intro-important-bootscripts"/>
  package.</para>
  
  <screen><userinput><command>make install-heimdal</command></userinput></screen>
  
  </sect3>
  
  </sect2>
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/heimdal/heimdal-desc.xml
  
  Index: heimdal-desc.xml
  ===================================================================
  <sect2>
  <title>Contents</title>
  
  <para>The <application>Heimdal</application> package contains
  <command>afslog</command>,
  <command>dump_log</command>,
  <command>ftp</command>,
  <command>ftpd</command>,
  <command>hprop</command>,
  <command>hpropd</command>,
  <command>ipropd-master</command>,
  <command>ipropd-slave</command>,
  <command>kadmin</command>,
  <command>kadmind</command>,
  <command>kauth</command>,
  <command>kdc</command>,
  <command>kdestroy</command>,
  <command>kf</command>,
  <command>kfd</command>,
  <command>kgetcred</command>,
  <command>kinit</command>,
  <command>klist</command>,
  <command>kpasswd</command>,
  <command>kpasswdd</command>,
  <command>krb5-config</command>,
  <command>kstash</command>,
  <command>ktutil</command>,
  <command>kx</command>,
  <command>kxd</command>,
  <command>login</command>,
  <command>mk_cmds</command>,
  <command>otp</command>,
  <command>otpprint</command>,
  <command>pagsh</command>,
  <command>pfrom</command>,
  <command>popper</command>,
  <command>push</command>,
  <command>rcp</command>,
  <command>replay_log</command>,
  <command>rsh</command>,
  <command>rshd</command>,
  <command>rxtelnet</command>,
  <command>rxterm</command>,
  <command>string2key</command>,
  <command>su</command>,
  <command>telnet</command>,
  <command>telnetd</command>,
  <command>tenletxr</command>,
  <command>truncate_log</command>,
  <command>verify_krb5_conf</command>,
  <command>xnlock</command>,
  <filename class="libraryfile">libasn1</filename>,
  <filename class="libraryfile">libeditline</filename>,
  <filename class="libraryfile">libgssapi</filename>,
  <filename class="libraryfile">libhdb</filename>,
  <filename class="libraryfile">libkadm5clnt</filename>,
  <filename class="libraryfile">libkadm5srv</filename>,
  <filename class="libraryfile">libkafs</filename>,
  <filename class="libraryfile">libkrb5</filename>,
  <filename class="libraryfile">libotp</filename>,
  <filename class="libraryfile">libroken</filename>,
  <filename class="libraryfile">libsl</filename> and
  <filename class="libraryfile">libss</filename>.
  
  </para>
  
  </sect2>
  <!--
  <sect2><title>Description</title>
  
  </sect2>
  -->
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/heimdal/heimdal-exp.xml
  
  Index: heimdal-exp.xml
  ===================================================================
  <sect2>
  <title>Command explanations</title>
  
  <para><parameter>--libexecdir=/usr/sbin</parameter>:
  This switch puts the daemon programs into <filename
  class="directory">/usr/sbin</filename>.
  </para>
  
  <note><para>
  If you want to preserve all your existing Inetutils package daemons,
  install the Heimdal daemons into <filename
      class="directory">/usr/sbin/heimdal</filename> (or wherever you want).
  Since these programs will be called from <command>(x)inetd</command> or
  <command>rc</command> scripts, it really doesn't matter where they live,
  as long as they are correctly specified in the
  <filename>/etc/(x)inetd.conf</filename> file and <command>rc</command>
  scripts. If you choose something other than <filename
  class="directory">/usr/sbin</filename>, you may want to move some of the
  user programs (such as <command>kadmin</command>) to <filename
  class="directory">/usr/sbin</filename> manually.
  </para></note>
  
  <para><command>cp /usr/bin/login /bin && mv /usr/bin/su /bin</command>:
  The <command>login</command> and <command>su</command> programs
  installed by Heimdal belong in <filename
  class="directory">/bin</filename> directory. The
  <command>login</command> program is copied because Heimdal is expecting
  to find it in <filename class="directory">/usr/bin</filename>.
  </para>
  
  </sect2>
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/heimdal/heimdal-inst.xml
  
  Index: heimdal-inst.xml
  ===================================================================
  <sect2>
  <title>Installation of <application>Heimdal</application></title>
  
  <para>
  Before installing the package, you may want to preserve the
  <command>ftp</command> program from the Inetutils package. This is
  because using the Heimdal <command>ftp</command> program to connect to
  non kerberized ftp servers may not work properly. It will allow you to
  connect (letting you know that transmission of the password is clear
  text) but will have problems doing puts and gets.
  </para>
  
  <screen><userinput><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>
  
  <para>Install <application>Heimdal</application> by running the following commands:</para>
  
  <screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs-compliance-1.patch &&
  ./configure --prefix=/usr --sysconfdir=/etc/heimdal \
      --datadir=/var/lib/heimdal --libexecdir=/usr/sbin \
      --sharedstatedir=/usr/share --localstatedir=/var/lib/heimdal \
      --enable-shared --with-openssl=/usr &&
  make &&
  make install &&
  cp /usr/bin/login /bin &&
  mv /usr/bin/su /bin</command></userinput></screen>
  
  </sect2>
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/heimdal/heimdal-intro.xml
  
  Index: heimdal-intro.xml
  ===================================================================
  <sect2>
  <title>Introduction to <application>Heimdal</application></title>
  
  <para>
  <application>Heimdal</application> is a free implementation of Kerberos
  5, that aims to be compatible with <acronym>MIT</acronym> Kerberos and
  is backwards compatible with Kerberos 4. Kerberos is a network
  authentication protocol. Basically it preserves the integrity of
  passwords in any untrusted network (like the Internet). Kerberized
  applications work hand-in-hand with sites that support Kerberos to
  ensure that passwords cannot be stolen. A Kerberos installation will
  make changes to the authentication mechanisms on your network and will
  overwrite several programs and daemons from the Coreutils, Inetutils and
  Shadow packages.
  </para>
  
  <sect3><title>Package information</title>
  <itemizedlist spacing='compact'>
  <listitem><para>Download (HTTP): <ulink url="&heimdal-download-http;"/></para></listitem>
  <listitem><para>Download (FTP): <ulink url="&heimdal-download-ftp;"/></para></listitem>
  <listitem><para>Download size: &heimdal-size;</para></listitem>
  <listitem><para>Estimated Disk space required: &heimdal-buildsize;</para></listitem>
  <listitem><para>Estimated build time: &heimdal-time;</para></listitem></itemizedlist>
  </sect3>
  
  <sect3><title>Additional downloads</title>
  <itemizedlist spacing='compact'>
  <listitem><para>Required patch: <ulink
  url="&patch-root;/heimdal-&heimdal-version;-fhs-compliance-1.patch"/></para>
  </listitem>
  </itemizedlist>
  
  </sect3>
  
  <sect3><title><application>Heimdal</application> dependencies</title>
  <sect4><title>Required</title>
  <para>
  <xref linkend="openssl"/> and
  <xref linkend="db"/>
  </para></sect4>
  <sect4><title>Optional</title>
  <para>
  <xref linkend="tcpwrappers"/>,
  <xref linkend="readline"/>,
  <xref linkend="Linux_PAM"/> and
  <xref linkend="xorg"/> or
  <xref linkend="xfree86"/>
  </para></sect4>
  </sect3>
  
  </sect2>
  
  
  
  1.1                  BLFS/BOOK/postlfs/security/heimdal/heimdal.ent
  
  Index: heimdal.ent
  ===================================================================
  <!ENTITY heimdal SYSTEM "../heimdal.xml">
  <!ENTITY heimdal-intro SYSTEM "heimdal-intro.xml">
  <!ENTITY heimdal-inst SYSTEM "heimdal-inst.xml">
  <!ENTITY heimdal-exp SYSTEM "heimdal-exp.xml">
  <!ENTITY heimdal-config SYSTEM "heimdal-config.xml">
  <!ENTITY heimdal-desc SYSTEM "heimdal-desc.xml">
  <!ENTITY heimdal-version "0.6.1">
  <!ENTITY heimdal-download-http "">
  <!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
  <!ENTITY heimdal-size "3.2 MB">
  <!ENTITY heimdal-buildsize "142 MB">
  <!ENTITY heimdal-time "2.55 SBU">
  
  
  



More information about the blfs-book mailing list