From: Greg Price Date: Mon, 21 Sep 2009 00:52:11 +0000 (-0400) Subject: KerberizedServer -> kerberized-server.mdwn X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/commitdiff_plain/5c934f15c32ceafa72eda71775209b91371c90c0?hp=45795b96589ba8fa3b0ad6e3bfacec2382b964d5;ds=sidebyside KerberizedServer -> kerberized-server.mdwn --- diff --git a/doc/KerberizedServer b/doc/KerberizedServer deleted file mode 100644 index d9d2fbf..0000000 --- a/doc/KerberizedServer +++ /dev/null @@ -1,33 +0,0 @@ -= Enabling Kerberos logins for your server = - -If you want kerberized logins on a server you run, you'll need a '''keytab''' from accounts. Fill out the [http://web.mit.edu/accounts/www/srvtabform.html keytab request form], which sends them an e-mail. Ask for a "keytab"; by default they'll give you a srvtab, the Kerberos 4 analogue. - -Your new keytab will be in {{{/mit/accounts/srvtabs/FOR_YOURUSERNAME}}}, which is AFS and vaguely insecure. You probably want to install it in {{{/etc/krb5.keytab}}}, and then randomize the key. -{{{ -# mv -f /etc/krb5.keytab /etc/krb5.keytab.old # back up any keytab you already have -# mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab -# k5srvutil change -}}} - -Then make sure your {{{/etc/ssh/sshd_config}}} file includes the lines - -{{{ -GSSAPIAuthentication yes -GSSAPIKeyExchange yes -}}} - -This will let you SSH in with Kerberos. - -Then create a file called {{{.k5login}}} in the home directory of whichever users you want to be able log into with Kerberos. List the full KerberosPrincipal of each user, one per line (e.g., {{{joeuser@ATHENA.MIT.EDU}}}) - -== Dealing with srvtabs == - -If you don't specifically mention a "keytab" in your request to Accounts, they may give you the Kerberos 4 equivalent, a srvtab. - -In this case you'll want to convert the srvtab to a keytab, like so. -{{{ -$ ktutil -ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab -ktutil: wkt /etc/krb5.keytab -ktutil: q -}}} diff --git a/doc/kerberized-server.mdwn b/doc/kerberized-server.mdwn new file mode 100644 index 0000000..0aee6cb --- /dev/null +++ b/doc/kerberized-server.mdwn @@ -0,0 +1,40 @@ +[[!meta title="Enabling Kerberos logins for your server"]] + +If you want kerberized logins on a server you run, you'll need a +*keytab* from accounts. Fill out the +[keytab request form](http://web.mit.edu/accounts/www/srvtabform.html), +which sends them an e-mail. Ask for a "keytab"; by default they'll +give you a srvtab, the Kerberos 4 analogue. + +Your new keytab will be in +`/mit/accounts/srvtabs/FOR_YOURUSERNAME`, which is AFS and vaguely +insecure. You probably want to install it in `/etc/krb5.keytab`, +and then randomize the key. + + # mv -f /etc/krb5.keytab /etc/krb5.keytab.old # back up any keytab you already have + # mv /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-keytab /etc/krb5.keytab + # k5srvutil change + +Then make sure your `/etc/ssh/sshd_config` file includes the lines + + GSSAPIAuthentication yes + GSSAPIKeyExchange yes + +This will let you SSH in with Kerberos. + +Then create a file called `.k5login` in the home directory of +whichever users you want to be able log into with Kerberos. List the +full Kerberos principal of each user, one per line (e.g., +`joeuser@ATHENA.MIT.EDU`) + +## Dealing with srvtabs + +If you don't specifically mention a "keytab" in your request to +Accounts, they may give you the Kerberos 4 equivalent, a srvtab. + +In this case you'll want to convert the srvtab to a keytab, like so. + + $ ktutil + ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab + ktutil: wkt /etc/krb5.keytab + ktutil: q