Kerberos é um sistema/protocolo adicional de rede que permite usuários se autenticar através de serviços de um servidor seguro. Serviços tais como login remoto, cópia remota, cópia segura de arquivos entre sistemas e outras tarefas de alto risco são feitas consideravelmente mais seguras e controláveis.
As seguintes instruções podem ser usadas como um guia em como configurar o Kerberos distribuído para FreeBSD. Entretanto, você deve consultar as páginas de manual relevantes para uma descrição completa.
Kerberos é um componento opcioinal do FreeBSD. A maneira mais fácil de instalar este software é selecionando a distribuição krb4 ou krb5 no sysinstall durante a instalação inicial do FreeBSD. Isto instalará a implementação ``eBones'' (KerberosIV) ou ``Heimdal'' (Kerberos5) do Kerberos. Estas implementações estão incluídas porque são desenvolvidas fora dos EUA/Canadá e estavam portanto disponíveis aos proprietários de sistemas fora daqueles países durante a era de controles restritivos de exportação de código criptográfico dos EUA.
Alternativamente, a implementação do Kerberos do MIT está disponível na coleção de ports como security/krb5.
Isto é feito somente no servidor Kerberos. Certifique-se primeiramente que você não tem nenhuma base de dados antiga. Você pode entrar no diretório /etc/kerberosIV e certificar-se de que apenas os seguintes arquivos estejam presentes:
# cd /etc/kerberosIV # ls README krb.conf krb.realms
Se alguns arquivos adicionais (tais como principal.* ou master_key) existir, então use o comando kdb_destroy para destruir a base de dados antiga do Kerberos, ou se o Kerberos não estiver executando, simplesmente delete os arquivos extras.
Você deve agora editar os arquivos krb.conf e krb.realms para definir seu reino Kerberos. Neste caso o reino será EXAMPLE.COM e o servidor é grunt.example.com. Nós editamos ou criamos o arquivo krb.conf:
# cat krb.conf EXAMPLE.COM EXAMPLE.COM grunt.example.com admin server CS.BERKELEY.EDU okeeffe.berkeley.edu ATHENA.MIT.EDU kerberos.mit.edu ATHENA.MIT.EDU kerberos-1.mit.edu ATHENA.MIT.EDU kerberos-2.mit.edu ATHENA.MIT.EDU kerberos-3.mit.edu LCS.MIT.EDU kerberos.lcs.mit.edu TELECOM.MIT.EDU bitsy.mit.edu ARC.NASA.GOV trident.arc.nasa.gov
Neste caso, os outros reinos não precisam estar aí. Eles estão aqui como um exemplo de como uma máquina pode ser feita de múltiplos reinos. Você pode desejar não incluí-los para simplificar.
A primeira linha nomeia o reino em que este sistema trabalha. As outras linhas contêm entradas reino/host. O primeiro item em uma linha é um reino, e o segundo é um host nesse reino que está agindo como um ``centro de distribuição de chave''. As palavras admin server depois de um nome de host significa que o host fornece também um servidor administrativo de base de dados. Para uma explanação adicional destes termos, consulte por favor as páginas de manual do Kerberos.
Agora nós temos que adicionar grunt.example.com ao reino EXAMPLE.COM e também adicionar uma entrada para colocar todos os hosts do domínio .example.com no reino EXAMPLE.COM. O arquivo krb.realms seria atualizado como segue:
# cat krb.realms grunt.example.com EXAMPLE.COM .example.com EXAMPLE.COM .berkeley.edu CS.BERKELEY.EDU .MIT.EDU ATHENA.MIT.EDU .mit.edu ATHENA.MIT.EDU
Novamente, os outros reinos não precisam estar aí. Eles estão aqui como um exemplo de como uma máquina pode ser feita de múltiplos reinos. Você pode desejar removê-los para simplificar as coisas.
A primeira linha coloca o sistema específico no reino nomeado. O resto das linhas mostra como to default systems of a particular subdomain to a named realm.
Now we are ready to create the database. This only needs to run on the Kerberos server (or Key Distribution Center). Issue the kdb_init command to do this:
# kdb_init
Realm name [default ATHENA.MIT.EDU ]: EXAMPLE.COM
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key:
Now we have to save the key so that servers on the local machine can pick it up. Use the kstash command to do this:
# kstash
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
This saves the encrypted master password in /etc/kerberosIV/master_key.
Two principals need to be added to the database for each system that will be secured with Kerberos. Their names are kpasswd and rcmd. These two principals are made for each system, with the instance being the name of the individual system.
These daemons, kpasswd and rcmd allow other systems to change Kerberos passwords and run commands like rcp(1), rlogin(1) and rsh(1).
Now let us add these entries:
# kdb_edit Opening database... Enter Kerberos master key: Current Kerberos master key version is 1. Master key entered. BEWARE! Previous or default values are in [brackets] , enter return to leave the same, or new value. Principal name: passwd Instance: grunt <Not found>, Create [y] ? y Principal: passwd, Instance: grunt, kdc_key_ver: 1 New Password: <---- enter RANDOM here Verifying password New Password: <---- enter RANDOM here Random password [y] ? y Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? Max ticket lifetime (*5 minutes) [ 255 ] ? Attributes [ 0 ] ? Edit O.K. Principal name: rcmd Instance: grunt <Not found>, Create [y] ? Principal: rcmd, Instance: grunt, kdc_key_ver: 1 New Password: <---- enter RANDOM here Verifying password New Password: <---- enter RANDOM here Random password [y] ? Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? Max ticket lifetime (*5 minutes) [ 255 ] ? Attributes [ 0 ] ? Edit O.K. Principal name: <---- null entry here will cause an exit
We now have to extract all the instances which define the services on each machine. For this we use the ext_srvtab command. This will create a file which must be copied or moved by secure means to each Kerberos client's /etc/kerberosIV directory. This file must be present on each server and client, and is crucial to the operation of Kerberos.
# ext_srvtab grunt
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....
Now, this command only generates a temporary file which must be renamed to srvtab so that all the servers can pick it up. Use the mv(1) command to move it into place on the original system:
# mv grunt-new-srvtab srvtab
If the file is for a client system, and the network is not deemed safe, then copy the client-new-srvtab to removable media and transport it by secure physical means. Be sure to rename it to srvtab in the client's /etc/kerberosIV directory, and make sure it is mode 600:
# mv grumble-new-srvtab srvtab # chmod 600 srvtab
We now have to add some user entries into the database. First let us create an entry for the user jane. Use the kdb_edit command to do this:
# kdb_edit Opening database... Enter Kerberos master key: Current Kerberos master key version is 1. Master key entered. BEWARE! Previous or default values are in [brackets] , enter return to leave the same, or new value. Principal name: jane Instance: <Not found>, Create [y] ? y Principal: jane, Instance: , kdc_key_ver: 1 New Password: <---- enter a secure password here Verifying password New Password: <---- re-enter the password here Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? Max ticket lifetime (*5 minutes) [ 255 ] ? Attributes [ 0 ] ? Edit O.K. Principal name: <---- null entry here will cause an exit
First we have to start the Kerberos daemons. Note that if you have correctly edited your /etc/rc.conf then this will happen automatically when you reboot. This is only necessary on the Kerberos server. Kerberos clients will automatically get what they need from the /etc/kerberosIV directory.
# kerberos & Kerberos server starting Sleep forever on error Log file is /var/log/kerberos.log Current Kerberos master key version is 1. Master key entered. BEWARE! Current Kerberos master key version is 1 Local realm: EXAMPLE.COM # kadmind -n & KADM Server KADM0.0A initializing Please do not use 'kill -9' to kill this job, use a regular kill instead Current Kerberos master key version is 1. Master key entered. BEWARE!
Now we can try using the kinit command to get a ticket for the ID jane that we created above:
% kinit jane MIT Project Athena (grunt.example.com) Kerberos Initialization for "jane" Password:
Try listing the tokens using klist to see if we really have them:
% klist Ticket file: /tmp/tkt245 Principal: jane@EXAMPLE.COM Issued Expires Principal Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.EXAMPLE.COM@EXAMPLE.COM
Now try changing the password using passwd(1) to check if the kpasswd daemon can get authorization to the Kerberos database:
% passwd realm EXAMPLE.COM Old password for jane: New Password for jane: Verifying password New Password for jane: Password changed.
Kerberos allows us to give each user who needs root privileges their own separate su(1) password. We could now add an ID which is authorized to su(1) to root. This is controlled by having an instance of root associated with a principal. Using kdb_edit we can create the entry jane.root in the Kerberos database:
# kdb_edit Opening database... Enter Kerberos master key: Current Kerberos master key version is 1. Master key entered. BEWARE! Previous or default values are in [brackets] , enter return to leave the same, or new value. Principal name: jane Instance: root <Not found>, Create [y] ? y Principal: jane, Instance: root, kdc_key_ver: 1 New Password: <---- enter a SECURE password here Verifying password New Password: <---- re-enter the password here Principal's new key version = 1 Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ? Max ticket lifetime (*5 minutes) [ 255 ] ? 12 <--- Keep this short! Attributes [ 0 ] ? Edit O.K. Principal name: <---- null entry here will cause an exit
Now try getting tokens for it to make sure it works:
# kinit jane.root MIT Project Athena (grunt.example.com) Kerberos Initialization for "jane.root" Password:
Now we need to add the user to root's .klogin file:
# cat /root/.klogin jane.root@EXAMPLE.COM
Now try doing the su(1):
% su Password:
and take a look at what tokens we have:
# klist Ticket file: /tmp/tkt_root_245 Principal: jane.root@EXAMPLE.COM Issued Expires Principal May 2 20:43:12 May 3 04:43:12 krbtgt.EXAMPLE.COM@EXAMPLE.COM
In an earlier example, we created a principal called jane with an instance root. This was based on a user with the same name as the principal, and this is a Kerberos default; that a <principal>.<instance> of the form <username>.root will allow that <username> to su(1) to root if the necessary entries are in the .klogin file in root's home directory:
# cat /root/.klogin jane.root@EXAMPLE.COM
Likewise, if a user has in their own home directory lines of the form:
% cat ~/.klogin jane@EXAMPLE.COM jack@EXAMPLE.COM
This allows anyone in the EXAMPLE.COM realm who has authenticated themselves as jane or jack (via kinit, see above) to access to jane's account or files on this system (grunt) via rlogin(1), rsh(1) or rcp(1).
For example, jane now logs into another system using Kerberos:
% kinit
MIT Project Athena (grunt.example.com)
Password:
% rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
Or jack logs into jane's account on the same machine (jane having set up the .klogin file as above, and the person in charge of Kerberos having set up principal jack with a null instance):
% kinit
% rlogin grunt -l jane
MIT Project Athena (grunt.example.com)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995
Este, e outros documentos, podem ser obtidos em ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/.
Para perguntas sobre FreeBSD, leia a documentação antes de contatar <questions@FreeBSD.org>.
Para perguntas sobre esta documentação, envie e-mail para <doc@FreeBSD.org>.