X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/blobdiff_plain/5c934f15c32ceafa72eda71775209b91371c90c0..22c43b00b1ef93101bcd9d5a63e13cd260f3d665:/doc/kerberized-server.mdwn diff --git a/doc/kerberized-server.mdwn b/doc/kerberized-server.mdwn index 0aee6cb..96d0767 100644 --- a/doc/kerberized-server.mdwn +++ b/doc/kerberized-server.mdwn @@ -3,19 +3,19 @@ If you want kerberized logins on a server you run, you'll need a *keytab* from accounts. Fill out the [keytab request form](http://web.mit.edu/accounts/www/srvtabform.html), -which sends them an e-mail. Ask for a "keytab"; by default they'll -give you a srvtab, the Kerberos 4 analogue. +which sends them an e-mail. Your new keytab will be in `/mit/accounts/srvtabs/FOR_YOURUSERNAME`, which is AFS and vaguely insecure. You probably want to install it in `/etc/krb5.keytab`, -and then randomize the key. +and then set a new (random) key. # mv -f /etc/krb5.keytab /etc/krb5.keytab.old # back up any keytab you already have # mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab # k5srvutil change + # k5srvutil delold -Then make sure your `/etc/ssh/sshd_config` file includes the lines +If you're using Debathena, you can install the `debathena-ssh-server-config` package to configure Kerberos authentication on the server side. If not, make sure your `/etc/ssh/sshd_config` file includes the lines GSSAPIAuthentication yes GSSAPIKeyExchange yes @@ -23,18 +23,15 @@ Then make sure your `/etc/ssh/sshd_config` file includes the lines This will let you SSH in with Kerberos. Then create a file called `.k5login` in the home directory of -whichever users you want to be able log into with Kerberos. List the +whichever users you want to be able to log into with Kerberos. List the full Kerberos principal of each user, one per line (e.g., `joeuser@ATHENA.MIT.EDU`) -## Dealing with srvtabs - -If you don't specifically mention a "keytab" in your request to -Accounts, they may give you the Kerberos 4 equivalent, a srvtab. - -In this case you'll want to convert the srvtab to a keytab, like so. - - $ ktutil - ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab - ktutil: wkt /etc/krb5.keytab - ktutil: q +If you don't want it to be possible to log in to a user account via +Kerberos, create an empty `.k5login` file in their home directory. +Otherwise, by default, you can log in to a user account with a Kerberos +principal from the default realm (ATHENA, presumably) whose username +matches; that is to say, an Athena user whose username matches a local +username can log in to that local account. (One option to avoid this is +to create a `.k5login` file in `/etc/skel` so that new accounts you +later add get this file by default.)