X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/blobdiff_plain/51b8135c280a50b7c3fb34d0f960a1d2fa35324a..8d6c7cd7efde6ea44a9f6e73c7cfe82df69256b3:/doc/KerberizedServer?ds=sidebyside

diff --git a/doc/KerberizedServer b/doc/KerberizedServer
index 75cc4f8..d9d2fbf 100644
--- a/doc/KerberizedServer
+++ b/doc/KerberizedServer
@@ -1,20 +1,12 @@
-If you want kerberized logins on a server you run, you'll need a '''keytab''' from accounts. Fill out the [http://web.mit.edu/accounts/www/srvtabform.html keytab request form], which sends them an e-mail.
+= Enabling Kerberos logins for your server =
 
-They'll probably give you a srvtab, unless you specifically ask for a keytab. A srvtab is Kerberos 4 and a keytab is Kerberos 5; you probably have no use for a srvtab. It will be in {{{/mit/accounts/srvtabs/FOR_YOURUSERNAME}}}, which is AFS and vaguely insecure, so you should randomize the key before you use it.
+If you want kerberized logins on a server you run, you'll need a '''keytab''' from accounts.  Fill out the [http://web.mit.edu/accounts/www/srvtabform.html keytab request form], which sends them an e-mail.  Ask for a "keytab"; by default they'll give you a srvtab, the Kerberos 4 analogue.
 
-You probably want to install it in {{{/etc/krb5.keytab}}}. (back up this file before proceeding if you already have one)
-
-First, read the srvtab and write it out as a keytab:
+Your new keytab will be in {{{/mit/accounts/srvtabs/FOR_YOURUSERNAME}}}, which is AFS and vaguely insecure.  You probably want to install it in {{{/etc/krb5.keytab}}}, and then randomize the key.
 {{{
-$ ktutil
-ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab
-ktutil: wkt /etc/krb5.keytab
-ktutil: q
-}}}
-
-Then randomize the key:
-{{{
-$ k5srvutil change
+# mv -f /etc/krb5.keytab /etc/krb5.keytab.old  # back up any keytab you already have
+# mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab
+# k5srvutil change
 }}}
 
 Then make sure your {{{/etc/ssh/sshd_config}}} file includes the lines
@@ -26,4 +18,16 @@ GSSAPIKeyExchange yes
 
 This will let you SSH in with Kerberos.
 
-Then create a file called {{{.k5login}}} in the home directory of whichever users you want to be able log into with Kerberos. List the full KerberosPrincipal of each user, one per line (e.g., {{{joeuser@ATHENA.MIT.EDU}}})
\ No newline at end of file
+Then create a file called {{{.k5login}}} in the home directory of whichever users you want to be able log into with Kerberos. List the full KerberosPrincipal of each user, one per line (e.g., {{{joeuser@ATHENA.MIT.EDU}}})
+
+== Dealing with srvtabs ==
+
+If you don't specifically mention a "keytab" in your request to Accounts, they may give you the Kerberos 4 equivalent, a srvtab.
+
+In this case you'll want to convert the srvtab to a keytab, like so.
+{{{
+$ ktutil
+ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab
+ktutil: wkt /etc/krb5.keytab
+ktutil: q
+}}}