红帽全球峰会此内容没有您所选择的语言版本。
3.4. Configuring a Kerberos 5 Client
All that is required to set up a Kerberos 5 client is to install the client packages and provide each client with a valid
krb5.conf configuration file. While ssh and slogin are the preferred methods of remotely logging in to client systems, Kerberized versions of rsh and rlogin are still available, with additional configuration changes.
- Be sure that time synchronization is in place between the Kerberos client and the KDC and that DNS is working properly on the Kerberos client.
- Install the
krb5-libsandkrb5-workstationpackages on all of the client machines. - Supply a valid
/etc/krb5.conffile for each client (usually this can be the samekrb5.conffile used by the KDC). - To use kerberized
rshandrloginservices, install thershpackage. - Before a workstation can use Kerberos to authenticate users who connect using
ssh,rsh, orrlogin, it must have its own host principal in the Kerberos database. Thesshd,kshd, andklogindserver programs all need access to the keys for the host service's principal.- Using
kadmin, add a host principal for the workstation on the KDC. The instance in this case is the hostname of the workstation. Use the-randkeyoption for thekadmin'saddprinccommand to create the principal and assign it a random key:addprinc -randkey host/server.example.com
addprinc -randkey host/server.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow - The keys can be extracted for the workstation by running
kadminon the workstation itself and using thektaddcommand.ktadd -k /etc/krb5.keytab host/server.example.com
ktadd -k /etc/krb5.keytab host/server.example.comCopy to Clipboard Copied! Toggle word wrap Toggle overflow
- To use other kerberized network services, install the krb5-server package and start the services. The kerberized services are listed in Table 3.3, “Common Kerberized Services”.
| Service Name | Usage Information |
|---|---|
| ssh | OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have GSSAPIAuthentication enabled. If the client also has GSSAPIDelegateCredentials enabled, the user's credentials are made available on the remote system. |
| rsh and rlogin | Enable klogin, eklogin, and kshell. |
| Telnet | Enable krb5-telnet. |
| FTP | Create and extract a key for the principal with a root of ftp. Be certain to set the instance to the fully qualified hostname of the FTP server, then enable gssftp. |
| IMAP |
The
cyrus-imap package uses Kerberos 5 if it also has the cyrus-sasl-gssapi package installed. The cyrus-sasl-gssapi package contains the Cyrus SASL plugins which support GSS-API authentication. Cyrus IMAP functions properly with Kerberos as long as the cyrus user is able to find the proper key in /etc/krb5.keytab, and the root for the principal is set to imap (created with kadmin).
An alternative to
cyrus-imap can be found in the dovecot package, which is also included in Red Hat Enterprise Linux. This package contains an IMAP server but does not, to date, support GSS-API and Kerberos.
|
| CVS | gserver uses a principal with a root of cvs and is otherwise identical to the CVS pserver. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}