Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE Guida di Installazione Scaricare il pdf (Pagina 142)

142 Chapter 11. Kerberos

Note

Kerberos depends on certain network services to work correctly. First, Kerberos requires approximate

clock synchronization between the machines on the network. A clock syncing program should be set

up for the network. Since certain aspects of Kerberos rely on the Domain Name Service (DNS), be

sure that the DNS entries and hosts on the network are all properly conﬁgured. See the Kerberos V5

System Administrator’s Guide, provided in PostScript and HTML formats in /usr/share/doc/krb5-

server-version-number, (where version-number is the version installed on the system) for more

information.

11.5. Kerberos and PAM

Currently, kerberized services do not make use of Pluggable Authentication Modules (PAM) at all —

a kerberized server bypasses PAM completely. Applications that use PAM can make use of Kerberos

for password checking if the pam_krb5 module (provided in the pam_krb5 package) is installed.

The pam_krb5 package contains sample conﬁguration ﬁles that allow services like login and gdm

to authenticate users and obtain initial credentials using their passwords. If access to network servers

is always done using kerberized services or services that use GSS-API, like IMAP, the network can

be considered reasonably safe.

Careful administrators will not add Kerberos password checking to all network services because most

of the protocols used by these services do not encrypt the password before sending it over the network

— obviously something to avoid.

The next section will describe how to set up a basic Kerberos server.

11.6. Conﬁguring a Kerberos 5 Server

When you are setting up Kerberos, install the server ﬁrst. If you need to set up slave servers, the details

of setting up relationships between master and slave servers are covered in the Kerberos 5 Installation

Guide (in the /usr/share/doc/krb5-server-

version-number directory).

To install a Kerberos server:

1. Be sure that you have clock synchronization and DNS working on your server before installing

Kerberos 5. Pay particular attention to time synchronization between the Kerberos server and

its various clients. If the server and client clocks are different by more than ﬁve minutes (this

default amount is conﬁgurable in Kerberos 5), Kerberos clients will not be able to authenticate

to the server. This clock synchronization is necessary to prevent an attacker from using an old

authenticator to masquerade as a valid user.

You should set up a Network Time Protocol (NTP) compatible client/server network using Red

Hat Linux, even if you are not using Kerberos. Red Hat Linux 7.3 includes the ntp package for

easy installation. See http://www.eecis.udel.edu/~ntp for additional information on NTP.

2. Install the krb5-libs, krb5-server, and krb5-workstation packages on the dedicated

machine which will run your KDC. This machine needs to be secure — if possible, it should

not run any services other than the KDC.

If you would like to use a Graphical User Interface (GUI) utility to administrate Kerberos, you

should also install the gnome-kerberos package. It contains krb5, a GUI tool for managing

tickets, and gkadmin, a GUI tool for managing Kerberos realms.

3. Edit the /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf conﬁguration ﬁles to

reﬂect your realm name and domain-to-realm mappings. A simple realm can be constructed by

replacing instances of EXAMPLE.COM and example.com with your domain name — being

certain to keep uppercase and lowercase names in the correct format — and by changing the

1 2 ... 137 138 139 140 141 142 143 144 145 146 147 ... 281 282

Commenti su questo manuale

Nessun commento

Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE Guida di Installazione Pagina 142

Commenti su questo manuale

Prodotti e manuali riguardandi Software di system management Red Hat LINUX 7.2 - OFFICIAL LINUX CUSTOMIZATION GUIDE