From: Geoffrey Thomas <geofft@mit.edu>
Date: Sat, 1 Nov 2008 18:26:30 +0000 (-0500)
Subject: (no commit message)
X-Git-Tag: trac~176
X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/commitdiff_plain/644e4fe4adf47aa1676087597be1610e5d83628d?ds=sidebyside

---

diff --git a/doc/KerberizedServer b/doc/KerberizedServer
new file mode 100644
index 0000000..74f0bc6
--- /dev/null
+++ b/doc/KerberizedServer
@@ -0,0 +1,22 @@
+If you want kerberized logins on a server you run, you'll need a '''keytab''' from accounts. Send them an e-mail like "I want a host keytab for [some server you own]" or fill out the [http://web.mit.edu/accounts/www/srvtabform.html keytab request form] which sends them an e-mail.
+
+They'll probably give you a srvtab, unless you specifically ask for a keytab. A srvtab is Kerberos 4 and a keytab is Kerberos 5; you probably have no use for a srvtab. It will be in {{{/mit/accounts/srvtabs/FOR_YOURUSERNAME}}}, which is AFS and vaguely insecure, so you should randomize the key before you use it.
+
+You probably want to install it in {{{/etc/krb5.keytab}}}. (back up this file before proceeding if you already have one)
+
+First, read the srvtab and write it out as a keytab:
+{{{
+$ ktutil
+ktutil: rst /mit/accounts/srvtabs/FOR_JOEUSER/joeserver-new-srvtab
+ktutil: wkt /etc/krb5.keytab
+ktutil: q
+}}}
+
+Then randomize the key:
+{{{
+$ k5srvutil change
+}}}
+
+Then make sure your {{{/etc/ssh/sshd_config}}} file includes the line {{{GSSAPIAuthentication yes}}}. This will let you SSH in with Kerberos.
+
+Then create a file called {{{.k5login}}} in the home directory of whichever users you want to be able log into with Kerberos. List the full KerberosPrincipal of each user, one per line (e.g., {{{joeuser@ATHENA.MIT.EDU}}})
\ No newline at end of file