此内容没有您所选择的语言版本。
48.6.6. Configuring a Kerberos 5 Client
Setting up a Kerberos 5 client is less involved than setting up a server. At a minimum, install the client packages and provide each client with a valid
krb5.conf
configuration file. While ssh
and slogin
are the preferred method of remotely logging in to client systems, Kerberized versions of rsh
and rlogin
are still available, though deploying them requires that a few more configuration changes be made.
- Be sure that time synchronization is in place between the Kerberos client and the KDC. Refer to Section 48.6.5, “Configuring a Kerberos 5 Server” for more information. In addition, verify that DNS is working properly on the Kerberos client before configuring the Kerberos client programs.
- Install the
krb5-libs
andkrb5-workstation
packages on all of the client machines. Supply a valid/etc/krb5.conf
file for each client (usually this can be the samekrb5.conf
file used by the KDC). - Before a workstation in the realm can use Kerberos to authenticate users who connect using
ssh
or Kerberizedrsh
orrlogin
, it must have its own host principal in the Kerberos database. Thesshd
,kshd
, andklogind
server programs all need access to the keys for the host service's principal. Additionally, in order to use the kerberizedrsh
andrlogin
services, that workstation must have thexinetd
package installed.Usingkadmin
, add a host principal for the workstation on the KDC. The instance in this case is the hostname of the workstation. Use the-randkey
option for thekadmin
'saddprinc
command to create the principal and assign it a random key:addprinc -randkey host/blah.example.com
Now that the principal has been created, keys can be extracted for the workstation by runningkadmin
on the workstation itself, and using thektadd
command withinkadmin
:ktadd -k /etc/krb5.keytab host/blah.example.com
- To use other kerberized network services, they must first be started. Below is a list of some common kerberized services and instructions about enabling them:
ssh
— OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both haveGSSAPIAuthentication
enabled. If the client also hasGSSAPIDelegateCredentials
enabled, the user's credentials are made available on the remote system.rsh
andrlogin
— To use the kerberized versions ofrsh
andrlogin
, enableklogin
,eklogin
, andkshell
.- Telnet — To use kerberized Telnet,
krb5-telnet
must be enabled. - FTP — To provide FTP access, create and extract a key for the principal with a root of
ftp
. Be certain to set the instance to the fully qualified hostname of the FTP server, then enablegssftp
. - IMAP — To use a kerberized IMAP server, the
cyrus-imap
package uses Kerberos 5 if it also has thecyrus-sasl-gssapi
package installed. Thecyrus-sasl-gssapi
package contains the Cyrus SASL plugins which support GSS-API authentication. Cyrus IMAP should function properly with Kerberos as long as thecyrus
user is able to find the proper key in/etc/krb5.keytab
, and the root for the principal is set toimap
(created withkadmin
).An alternative tocyrus-imap
can be found in thedovecot
package, which is also included in Red Hat Enterprise Linux. This package contains an IMAP server but does not, to date, support GSS-API and Kerberos. - CVS — To use a kerberized CVS server,
gserver
uses a principal with a root ofcvs
and is otherwise identical to the CVSpserver
.
Refer to Chapter 18, Controlling Access to Services for details about how to enable services.