142


Chapter 10. Kerberos


Once you have completed the steps listed above, the Kerberos server should be up and running. Next,


we will set up a Kerberos client.


10.7. Configuring a Kerberos 5 Client


Setting up a Kerberos 5 client is less involved than setting up a server. At minimum, install the client


packages and provide each client with a valid


krb5.conf


configuration file. Kerberized versions of


rsh


and


rlogin


will also require some configuration changes.


1. Be sure that you have time synchronization in place between the Kerberos client and KDC.


See Section 10.6 for more information. In addition, verify that DNS is working properly on the


Kerberos client before configuring the Kerberos client programs.


2. Install the


krb5 libs


and


krb5 workstation


packages on all of the client machines. You


must supply a version of


/etc/krb5.conf


for each client; usually this can be the same


krb5.conf


used by the KDC.


3. Before a workstation in the realm can allow users to connect using kerberized


rsh


and


rlogin


,


that workstation will need to have the


xinetd


package installed and have its own host principal


in the Kerberos database. The


kshd


and


klogind


server programs will also need access to the


keys for their service's principal.


Using


kadmin


, add a host principal for the workstation on the KDC. The instance in this case


will be the hostname of the workstation. You can use the


 randkey


option to kadmin's


ad 


dprinc


command on the KDC to create the principal and assign it a random key:


addprinc  randkey host/blah.example.com


Now that you have created the principal, you can extract the keys for the workstation by running


kadmin


on the workstation itself , and using the


ktadd


command within


kadmin


:


ktadd  k /etc/krb5.keytab host/blah.example.com


In order to use the kerberized versions of


rsh


and


rlogin


, you must enable


klogin


,


eklogin


,


and


kshell


.


1


4. Other kerberized network services will need to be started. To use kerberized


telnet


, you must


enable


krb5 telnet


.


To provide FTP access, create and extract a key for a principal with a root of ftp, with the


instance set to the hostname of the FTP server. Then enable


gssftp


.


The IMAP server included in the


imap


package will use GSS API authentication using Kerberos


5 if it finds the proper key in


/etc/krb5.keytab


. The root for the principal should be


imap


.


The CVS gserver uses a principal with a root of


cvs


and is otherwise identical to a


pserver


.


10.8. Additional Resources


For more information on Kerberos, refer to the following resources.


1. Refer to the chapter titled Controlling Access to Services in the Official Red Hat Linux Customization Guide


for details on enabling services.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved