X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/blobdiff_plain/644e4fe4adf47aa1676087597be1610e5d83628d..0e6f037754eb2f9caae159006e9e5867545401f1:/doc/KerberizedServer

diff --git a/doc/KerberizedServer b/doc/KerberizedServer
index 74f0bc6..d9d2fbf 100644
--- a/doc/KerberizedServer
+++ b/doc/KerberizedServer
@@ -1,22 +1,33 @@
-If you want kerberized logins on a server you run, you'll need a '''keytab''' from accounts. Send them an e-mail like "I want a host keytab for [some server you own]" or fill out the [http://web.mit.edu/accounts/www/srvtabform.html keytab request form] which sends them an e-mail.
+= Enabling Kerberos logins for your server =
 
-They'll probably give you a srvtab, unless you specifically ask for a keytab. A srvtab is Kerberos 4 and a keytab is Kerberos 5; you probably have no use for a srvtab. It will be in {{{/mit/accounts/srvtabs/FOR_YOURUSERNAME}}}, which is AFS and vaguely insecure, so you should randomize the key before you use it.
+If you want kerberized logins on a server you run, you'll need a '''keytab''' from accounts.  Fill out the [http://web.mit.edu/accounts/www/srvtabform.html keytab request form], which sends them an e-mail.  Ask for a "keytab"; by default they'll give you a srvtab, the Kerberos 4 analogue.
 
-You probably want to install it in {{{/etc/krb5.keytab}}}. (back up this file before proceeding if you already have one)
-
-First, read the srvtab and write it out as a keytab:
+Your new keytab will be in {{{/mit/accounts/srvtabs/FOR_YOURUSERNAME}}}, which is AFS and vaguely insecure.  You probably want to install it in {{{/etc/krb5.keytab}}}, and then randomize the key.
 {{{
-$ ktutil
-ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab
-ktutil: wkt /etc/krb5.keytab
-ktutil: q
+# mv -f /etc/krb5.keytab /etc/krb5.keytab.old  # back up any keytab you already have
+# mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab
+# k5srvutil change
 }}}
 
-Then randomize the key:
+Then make sure your {{{/etc/ssh/sshd_config}}} file includes the lines
+
 {{{
-$ k5srvutil change
+GSSAPIAuthentication yes
+GSSAPIKeyExchange yes
 }}}
 
-Then make sure your {{{/etc/ssh/sshd_config}}} file includes the line {{{GSSAPIAuthentication yes}}}. This will let you SSH in with Kerberos.
+This will let you SSH in with Kerberos.
+
+Then create a file called {{{.k5login}}} in the home directory of whichever users you want to be able log into with Kerberos. List the full KerberosPrincipal of each user, one per line (e.g., {{{joeuser@ATHENA.MIT.EDU}}})
+
+== Dealing with srvtabs ==
 
-Then create a file called {{{.k5login}}} in the home directory of whichever users you want to be able log into with Kerberos. List the full KerberosPrincipal of each user, one per line (e.g., {{{joeuser@ATHENA.MIT.EDU}}})
\ No newline at end of file
+If you don't specifically mention a "keytab" in your request to Accounts, they may give you the Kerberos 4 equivalent, a srvtab.
+
+In this case you'll want to convert the srvtab to a keytab, like so.
+{{{
+$ ktutil
+ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab
+ktutil: wkt /etc/krb5.keytab
+ktutil: q
+}}}