From owner-svn-doc-all@freebsd.org Fri May 8 13:58:06 2020 Return-Path: Delivered-To: svn-doc-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 09AEF2D8219; Fri, 8 May 2020 13:58:06 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 49JX3K6Rzcz3LJb; Fri, 8 May 2020 13:58:05 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D3D63342E; Fri, 8 May 2020 13:58:05 +0000 (UTC) (envelope-from bcr@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 048Dw5gp030522; Fri, 8 May 2020 13:58:05 GMT (envelope-from bcr@FreeBSD.org) Received: (from bcr@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 048Dw5xx030521; Fri, 8 May 2020 13:58:05 GMT (envelope-from bcr@FreeBSD.org) Message-Id: <202005081358.048Dw5xx030521@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bcr set sender to bcr@FreeBSD.org using -f From: Benedict Reuschling Date: Fri, 8 May 2020 13:58:05 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54114 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head X-SVN-Commit-Author: bcr X-SVN-Commit-Paths: head/en_US.ISO8859-1/books/handbook/security X-SVN-Commit-Revision: 54114 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.32 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 May 2020 13:58:06 -0000 Author: bcr Date: Fri May 8 13:58:05 2020 New Revision: 54114 URL: https://svnweb.freebsd.org/changeset/doc/54114 Log: Updates to the Kerberos section: - prefer sysrc to manual edits of /etc/rc.conf - Add pkg install step - provide the full path to the kadmind.acl file - Updated messages from kadmin add command - Update Heimdal wiki link I changed only minor details in the original patch to conform to our doc style and conventions. Submitted by: farhan_farhan.codes Approved by: bcr@ Differential Revision: https://reviews.freebsd.org/D23596 Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 8 09:16:46 2020 (r54113) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 8 13:58:05 2020 (r54114) @@ -1207,12 +1207,17 @@ sendmail : PARANOID : deny KDC is recommended for security reasons. - To begin setting up a KDC, add these - lines to /etc/rc.conf: + To begin, install the security/heimdal + package as follows: - kdc_enable="YES" -kadmind_enable="YES" + &prompt.root; pkg install heimdal + Next, update /etc/rc.conf using + sysrc as follows: + + &prompt.root; sysrc kdc_enable=yes +&prompt.root; sysrc kadmind_enable=yes + Next, edit /etc/krb5.conf as follows: @@ -1295,25 +1300,32 @@ Realm max ticket life [unlimited]: Lastly, while still in kadmin, create the first principal using add. Stick to the default options for the principal for now, as these can be - changed later with modify. Type - ? at the prompt to see the available + kadmin, using the add. + Stick to the default options for the admin principal for now, + as these can be changed later with modify. + Type ? at the prompt to see the available options. - kadmin> add tillman + kadmin> add tillman Max ticket life [unlimited]: Max renewable life [unlimited]: +Principal expiration time [never]: +Password expiration time [never]: Attributes []: Password: xxxxxxxx Verifying password - Password: xxxxxxxx - Next, start the KDC services by running - service kdc start and - service kadmind start. While there will - not be any kerberized daemons running at this point, it is - possible to confirm that the KDC is - functioning by obtaining a ticket for the - principal that was just created: + Next, start the KDC services by + running: + &prompt.root; service kdc start +&prompt.root; service kadmind start + + While there will not be any kerberized daemons running at + this point, it is possible to confirm that the + KDC is functioning by obtaining a ticket + for the principle that was just created: + &prompt.user; kinit tillman tillman@EXAMPLE.ORG's Password: @@ -1380,8 +1392,9 @@ Aug 27 15:37:58 2013 Aug 28 01:37:58 2013 krbtgt/EXA kadmin will prompt for the password to get a fresh ticket. The principal authenticating to the kadmin service must be permitted to use the kadmin - interface, as specified in kadmind.acl. - See the section titled Remote administration in + interface, as specified in + /var/heimdal/kadmind.acl. See the + section titled Remote administration in info heimdal for details on designing access control lists. Instead of enabling remote kadmin access, the administrator could @@ -1756,8 +1769,8 @@ kadmind_enable="YES" Heimdal - Kerberos home + xlink:href="https://github.com/heimdal/heimdal/wiki">Heimdal + Kerberos project wiki page