検索

このコンテンツは選択した言語では利用できません。

19.6. Configuring a Kerberos 5 Client

download PDF
Setting up a Kerberos 5 client is less involved than setting up a server. At a minimum, install the client packages and provide each client with a valid krb5.conf configuration file. Kerberized versions of rsh and rlogin also requires some configuration changes.
  1. Be sure that time synchronization is in place between the Kerberos client and the KDC. Refer to Section 19.5, “Configuring a Kerberos 5 Server” for more information. In addition, verify that DNS is working properly on the Kerberos client before configuring the Kerberos client programs.
  2. Install the krb5-libs and krb5-workstation packages on all of the client machines. Supply a valid /etc/krb5.conf file for each client (usually this can be the same krb5.conf file used by the KDC).
  3. Before a workstation in the realm can allow users to connect using kerberized rsh and rlogin, that workstation must have the xinetd package installed and have its own host principal in the Kerberos database. The kshd and klogind server programs also need access to the keys for their service's principal.
    Using kadmin, add a host principal for the workstation on the KDC. The instance in this case is the hostname of the workstation. Use the -randkey option for the kadmin's addprinc command to create the principal and assign it a random key:
    addprinc -randkey host/blah.example.com
    Now that the principal has been created, keys can be extracted for the workstation by running kadmin on the workstation itself, and using the ktadd command within kadmin:
    ktadd -k /etc/krb5.keytab host/blah.example.com
  4. To use other kerberized network services, they must first be started. Below is a list of some common kerberized services and instructions about enabling them:
    • rsh and rlogin — To use the kerberized versions of rsh and rlogin, enable klogin, eklogin, and kshell.
    • Telnet — To use kerberized Telnet, krb5-telnet must be enabled.
    • FTP — To provide FTP access, create and extract a key for the principal with a root of ftp. Be certain to set the instance to the fully qualified hostname of the FTP server, then enable gssftp.
    • IMAP — To use a kerberized IMAP server, the cyrus-imap package uses Kerberos 5 if it also has the cyrus-sasl-gssapi package installed. The cyrus-sasl-gssapi package contains the Cyrus SASL plugins which support GSS-API authentication. Cyrus IMAP should function properly with Kerberos as long as the cyrus user is able to find the proper key in /etc/krb5.keytab, and the root for the principal is set to imap (created with kadmin).
      The dovecot package also contains an IMAP server alternative to cyrus-imap, which is also included with Red Hat Enterprise Linux, but does not support GSS-API and Kerberos to date.
    • CVS — To use a kerberized CVS server, gserver uses a principal with a root of cvs and is otherwise identical to the CVS pserver.
    For details about how to enable services, refer to the chapter titled Controlling Access to Services in the System Administrators Guide.
Red Hat logoGithubRedditYoutubeTwitter

詳細情報

試用、購入および販売

コミュニティー

Red Hat ドキュメントについて

Red Hat をお使いのお客様が、信頼できるコンテンツが含まれている製品やサービスを活用することで、イノベーションを行い、目標を達成できるようにします。

多様性を受け入れるオープンソースの強化

Red Hat では、コード、ドキュメント、Web プロパティーにおける配慮に欠ける用語の置き換えに取り組んでいます。このような変更は、段階的に実施される予定です。詳細情報: Red Hat ブログ.

会社概要

Red Hat は、企業がコアとなるデータセンターからネットワークエッジに至るまで、各種プラットフォームや環境全体で作業を簡素化できるように、強化されたソリューションを提供しています。

© 2024 Red Hat, Inc.