svn rev #23310: trunk/doc/
ghudson@MIT.EDU
ghudson at MIT.EDU
Sun Nov 22 13:44:46 EST 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=23310
Commit By: ghudson
Log Message:
ticket: 6583
Remove discussion of the unbundled applications from the install
guide.
Changed Files:
U trunk/doc/install.texinfo
Modified: trunk/doc/install.texinfo
===================================================================
--- trunk/doc/install.texinfo 2009-11-22 18:20:36 UTC (rev 23309)
+++ trunk/doc/install.texinfo 2009-11-22 18:44:46 UTC (rev 23310)
@@ -740,23 +740,15 @@
@end smallexample
@need 1000
-Then, add the following lines to @code{/etc/inetd.conf} file on each KDC
-(the line beginnng with @result{} is a continuation of the previous
-line):
+Then, add the following line to @code{/etc/inetd.conf} file on each KDC:
@smallexample
@group
krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd
-eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
- at result{} klogind -k -c -e
@end group
@end smallexample
@noindent
-The first line sets up the @code{kpropd} database propagation daemon.
-The second line sets up the @code{eklogin} daemon, allowing
-Kerberos-authenticated, encrypted rlogin to the KDC.
-
You also need to add the following lines to @code{/etc/services} on each
KDC:
@@ -767,7 +759,6 @@
krb5_prop 754/tcp # Kerberos slave propagation
kerberos-adm 749/tcp # Kerberos 5 admin/changepw (tcp)
kerberos-adm 749/udp # Kerberos 5 admin/changepw (udp)
-eklogin 2105/tcp # Kerberos encrypted rlogin
@end group
@end smallexample
@@ -908,46 +899,6 @@
root access through a security hole in any of those areas could gain
access to the Kerberos database.
- at need 4700
- at value{COMPANY} recommends that your KDCs use the following
- at code{/etc/inetd.conf} file. (Note: each line beginning with @result{}
-is a continuation of the previous line.):
-
- at smallexample
- at group
-#
-# Configuration file for inetd(1M). See inetd.conf(4).
-#
-# To re-configure the running inetd process, edit this file, then
-# send the inetd process a SIGHUP.
-#
-# Syntax for socket-based Internet services:
-# <service_name> <socket_type> <proto> <flags> <user>
- at result{} <server_pathname> <args>
-#
-# Syntax for TLI-based Internet services:
-#
-# <service_name> tli <proto> <flags> <user> <server_pathname> <args>
-#
-# Ftp and telnet are standard Internet services.
-#
-# This machine is a secure Kerberos Key Distribution Center (KDC).
-# Services are limited.
-#
-#
-# Time service is used for clock synchronization.
-#
-time stream tcp nowait root internal
-time dgram udp wait root internal
-#
-# Limited Kerberos services
-#
-krb5_prop stream tcp nowait root @value{ROOTDIR}/sbin/kpropd kpropd
-eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
- at result{} klogind -5 -c -e
- at end group
- at end smallexample
-
@node Switching Master and Slave KDCs, Incremental Database Propagation, Limit Access to the KDCs, Installing KDCs
@subsection Switching Master and Slave KDCs
@@ -1140,32 +1091,19 @@
@node Client Programs, Client Machine Configuration Files, Installing and Configuring UNIX Client Machines, Installing and Configuring UNIX Client Machines
@subsection Client Programs
-The Kerberized client programs are @code{login.krb5}, @code{rlogin},
- at code{telnet}, @code{ftp}, @code{rcp}, @code{rsh}, @code{kinit},
- at code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ksu}, and
- at code{krb524init}. All of these programs are in the directory
- at code{@value{ROOTDIR}/bin}, except for @code{login.krb5} which is in
- at code{@value{ROOTDIR}/sbin}.
+The Kerberized client programs are @code{kinit}, @code{klist},
+ at code{kdestroy}, @code{kpasswd}, and @code{ksu}. All of these programs
+are in the directory @code{@value{ROOTDIR}/bin}.
-You will probably want to have your users put @code{@value{ROOTDIR}/bin}
-ahead of @code{/bin} and @code{/usr/bin} in their paths, so they will by
-default get the @value{PRODUCT} versions of @code{rlogin},
- at code{telnet}, @code{ftp}, @code{rcp}, and @code{rsh}.
-
@value{COMPANY} recommends that you use @code{login.krb5} in place of
@code{/bin/login} to give your users a single-sign-on system. You will
need to make sure your users know to use their Kerberos passwords when
they log in.
You will also need to educate your users to use the ticket management
-programs @code{kinit},
- at c @code{krb524init},
- at code{klist}, @code{kdestroy}, and to use the Kerberos programs
- at c @code{pfrom},
- at code{ksu}, and @code{kpasswd} in place of their non-Kerberos
-counterparts
- at c @code{from}
- at code{su}, @code{passwd}, and @code{rdist}.
+programs @code{kinit}, @code{klist}, @code{kdestroy}, and to use the
+Kerberos programs @code{ksu} and @code{kpasswd} in place of their
+non-Kerberos counterparts @code{su} and @code{passwd}.
@node Client Machine Configuration Files, , Client Programs, Installing and Configuring UNIX Client Machines
@subsection Client Machine Configuration Files
@@ -1183,13 +1121,9 @@
@group
kerberos @value{DefaultPort}/udp kdc # Kerberos V5 KDC
kerberos @value{DefaultPort}/tcp kdc # Kerberos V5 KDC
-klogin @value{DefaultKloginPort}/tcp # Kerberos authenticated rlogin
-kshell @value{DefaultKshellPort}/tcp cmd # and remote shell
kerberos-adm @value{DefaultKadmindPort}/tcp # Kerberos 5 admin/changepw
kerberos-adm @value{DefaultKadmindPort}/udp # Kerberos 5 admin/changepw
krb5_prop @value{DefaultKrbPropPort}/tcp # Kerberos slave propagation
- at c kpop 1109/tcp # Pop with Kerberos
-eklogin @value{DefaultEkloginPort}/tcp # Kerberos auth. & encrypted rlogin
krb524 @value{DefaultKrb524Port}/tcp # Kerberos 5 to 4 ticket translator
@end group
@end smallexample
@@ -1299,77 +1233,11 @@
@value{PRODUCT}'s single sign-on capability.
@menu
-* Server Programs::
-* Server Configuration Files::
* The Keytab File::
* Some Advice about Secure Hosts::
@end menu
- at node Server Programs, Server Configuration Files, UNIX Application Servers, UNIX Application Servers
- at subsection Server Programs
-
-Just as @value{PRODUCT} provided its own Kerberos-enhanced versions of
-client UNIX network programs, @value{PRODUCT} also provides
-Kerberos-enhanced versions of server UNIX network daemons. These are
- at code{ftpd}, @code{klogind}, @code{kshd}, and @code{telnetd}.
- at c @code{popper},
-These programs are installed in the directory
- at code{@value{ROOTDIR}/sbin}. You may want to add this directory to
-root's path.
-
- at node Server Configuration Files, The Keytab File, Server Programs, UNIX Application Servers
- at subsection Server Configuration Files
-
-For a @emph{secure} server, make the following changes to
- at code{/etc/inetd.conf}:
-
-Find and comment out any lines for the services @code{ftp},
- at code{telnet}, @code{shell}, @code{login}, and @code{exec}.
-
- at need 1800
-Add the following lines. (Note: each line beginning with @result{} is
-a continuation of the previous line.)
-
- at smallexample
- at group
-klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
- at result{} klogind -k -c
-eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
- at result{} klogind -k -c -e
-kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd
- at result{} kshd -k -c -A
-ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd
- at result{} ftpd -a
-telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd
- at result{} telnetd -a valid
- at end group
- at end smallexample
-
-For an @emph{insecure} server, make the following changes instead to
- at code{/etc/inetd.conf}:
-
- at need 1800
-Find and comment out any lines for the services @code{ftp} and
- at code{telnet}.
-
-Add the following lines. (Note: each line beginning with @result{} is
-a continuation of the previous line.)
- at smallexample
- at group
-klogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
- at result{} klogind -k -c
-eklogin stream tcp nowait root @value{ROOTDIR}/sbin/klogind
- at result{} klogind -k -c -e
-kshell stream tcp nowait root @value{ROOTDIR}/sbin/kshd
- at result{} kshd -k -c -A
-ftp stream tcp nowait root @value{ROOTDIR}/sbin/ftpd
- at result{} ftpd
-telnet stream tcp nowait root @value{ROOTDIR}/sbin/telnetd
- at result{} telnetd -a none
- at end group
- at end smallexample
-
- at node The Keytab File, Some Advice about Secure Hosts, Server Configuration Files, UNIX Application Servers
+ at node The Keytab File, Some Advice about Secure Hosts, UNIX Application Servers, UNIX Application Servers
@subsection The Keytab File
All Kerberos server machines need a @dfn{keytab} file, called
@@ -1419,9 +1287,7 @@
If you generate the keytab file on another host, you need to get a copy
of the keytab file onto the destination host (@code{trillium}, in the
-above example) without sending it unencrypted over the network. If you
-have installed the @value{PRODUCT} client programs, you can use
-encrypted @code{rcp}.
+above example) without sending it unencrypted over the network.
@node Some Advice about Secure Hosts, , The Keytab File, UNIX Application Servers
@subsection Some Advice about Secure Hosts
@@ -1433,21 +1299,12 @@
possible attack, but it is worth noting some of the larger holes and how
to close them.
-As stated earlier in this section, @value{COMPANY} recommends that on a
-secure host, you disable the standard @code{ftp}, @code{login},
- at code{telnet}, @code{shell}, and @code{exec} services in
- at code{/etc/inetd.conf}. We also recommend that secure hosts have an empty
- at code{/etc/hosts.equiv} file and that there not be a @code{.rhosts} file
-in @code{root}'s home directory. You can grant Kerberos-authenticated
-root access to specific Kerberos principals by placing those principals
-in the file @code{.k5login} in root's home directory.
-
We recommend that backups of secure machines exclude the keytab file
(@code{/etc/krb5.keytab}). If this is not possible, the backups should
at least be done locally, rather than over a network, and the backup
tapes should be physically secured.
-Finally, the keytab file and any programs run by root, including the
+The keytab file and any programs run by root, including the
@value{PRODUCT} binaries, should be kept on local disk. The keytab file
should be readable only by root.
More information about the cvs-krb5
mailing list