Date: Fri, 8 May 2020 13:58:05 +0000 (UTC) From: Benedict Reuschling <bcr@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54114 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <202005081358.048Dw5xx030521@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: bcr Date: Fri May 8 13:58:05 2020 New Revision: 54114 URL: https://svnweb.freebsd.org/changeset/doc/54114 Log: Updates to the Kerberos section: - prefer sysrc to manual edits of /etc/rc.conf - Add pkg install step - provide the full path to the kadmind.acl file - Updated messages from kadmin add command - Update Heimdal wiki link I changed only minor details in the original patch to conform to our doc style and conventions. Submitted by: farhan_farhan.codes Approved by: bcr@ Differential Revision: https://reviews.freebsd.org/D23596 Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 8 09:16:46 2020 (r54113) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 8 13:58:05 2020 (r54114) @@ -1207,12 +1207,17 @@ sendmail : PARANOID : deny</programlisting> <acronym>KDC</acronym> is recommended for security reasons.</para> - <para>To begin setting up a <acronym>KDC</acronym>, add these - lines to <filename>/etc/rc.conf</filename>:</para> + <para>To begin, install the <package>security/heimdal</package> + package as follows:</para> - <programlisting>kdc_enable="YES" -kadmind_enable="YES"</programlisting> + <screen>&prompt.root; <userinput>pkg install heimdal</userinput></screen> + <para>Next, update <filename>/etc/rc.conf</filename> using + <command>sysrc</command> as follows:</para> + + <screen>&prompt.root; <userinput>sysrc kdc_enable=yes</userinput> +&prompt.root; <userinput>sysrc kadmind_enable=yes</userinput></screen> + <para>Next, edit <filename>/etc/krb5.conf</filename> as follows:</para> @@ -1295,25 +1300,32 @@ Realm max ticket life [unlimited]:</screen> <para>Lastly, while still in <command>kadmin</command>, create the first principal using <command>add</command>. Stick to the default options for the principal for now, as these can be - changed later with <command>modify</command>. Type - <literal>?</literal> at the prompt to see the available + <command>kadmin</command>, using the <command>add</command>. + Stick to the default options for the admin principal for now, + as these can be changed later with <command>modify</command>. + Type <literal>?</literal> at the prompt to see the available options.</para> - <screen>kadmin> <userinput>add <replaceable>tillman</replaceable></userinput> + <screen>kadmin> <userinput>add tillman</userinput> Max ticket life [unlimited]: Max renewable life [unlimited]: +Principal expiration time [never]: +Password expiration time [never]: Attributes []: Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput> Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen> - <para>Next, start the <acronym>KDC</acronym> services by running - <command>service kdc start</command> and - <command>service kadmind start</command>. While there will - not be any kerberized daemons running at this point, it is - possible to confirm that the <acronym>KDC</acronym> is - functioning by obtaining a ticket for the - principal that was just created:</para> + <para>Next, start the <acronym>KDC</acronym> services by + running:</para> + <screen>&prompt.root; <userinput>service kdc start</userinput> +&prompt.root; <userinput>service kadmind start</userinput></screen> + + <para>While there will not be any kerberized daemons running at + this point, it is possible to confirm that the + <acronym>KDC</acronym> is functioning by obtaining a ticket + for the principle that was just created:</para> + <screen>&prompt.user; <userinput>kinit <replaceable>tillman</replaceable></userinput> tillman@EXAMPLE.ORG's Password:</screen> @@ -1380,8 +1392,9 @@ Aug 27 15:37:58 2013 Aug 28 01:37:58 2013 krbtgt/EXA <command>kadmin</command> will prompt for the password to get a fresh ticket. The principal authenticating to the kadmin service must be permitted to use the <command>kadmin</command> - interface, as specified in <filename>kadmind.acl</filename>. - See the section titled <quote>Remote administration</quote> in + interface, as specified in + <filename>/var/heimdal/kadmind.acl</filename>. See the + section titled <quote>Remote administration</quote> in <command>info heimdal</command> for details on designing access control lists. Instead of enabling remote <command>kadmin</command> access, the administrator could @@ -1756,8 +1769,8 @@ kadmind_enable="YES"</programlisting> <listitem> <para><link - xlink:href="https://www.h5l.org/">Heimdal - <application>Kerberos</application> home + xlink:href="https://github.com/heimdal/heimdal/wiki">Heimdal + <application>Kerberos</application> project wiki page</link></para> </listitem> </itemizedlist>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202005081358.048Dw5xx030521>