Date: Wed, 24 Nov 2004 11:42:58 -0600 From: Tillman Hodgson <tillman@seekingfire.com> To: FreeBSD-Doc <freebsd-doc@freebsd.org> Subject: [RFC] Kerberos5 chapter re-write Message-ID: <20041124174258.GA28061@seekingfire.com>
next in thread | raw e-mail | index | archive | help
For the impatient: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The patch is at http://www.seekingfire.com/patches/kerberos5.patch I have an HTML-rendered version of it up at http://www.seekingfire.com/freebsd-doc/kerberos5.html I'm looking for peer review and technical feedback :-) [Note that the recent discussion about moving Security sub-chapters around has nothing to do with this patch: it assumes that Kerberos5 has not moved.] The Plan: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- The current layout looks like this: (Intro) History Setting up a Heimdal KDC Kerberos enabling a server with Heimdal services Kerberos enabling a client with Heimdal User configuration files: .k5login and .k5users Kerberos tips, tricks, and troubleshooting Differences with the MIT port Mitigating limitations found in Kerberos Kerberos is an all-or-nothing approach Kerberos is intended for single-user workstations The KDC is a single point of failure Kerberos Shortcomings Resources and further information My proposed layout (with more nesting for better organization): (Intro) Setting up Kerberos Setting up related services Setting up related services Setting up related services Setting up the Heimdal Key Distribution Center Configuring /etc/rc.conf Configuring /etc/krb5.conf Creating the initial Kerberos database Setting up the Heimdal administrative service Configuring /etc/rc.conf Configuring kadmind access control lists Starting and testing the kadmind service Kerberos enabling a server with Heimdal services Configuring /etc/krb5.conf Configuring /etc/krb5.keytab Configuring /etc/inetd.conf Setting up a Heimdal client Configuring /etc/krb5.conf Customizing user configuration files: .k5login and .k5users Kerberos testing and troubleshooting Troubleshooting procedure Troubleshooting tips Kerberos ports: MIT and Heimdal Kerberos Implementations Implementation interoperability Using Kerberos with OpenSSH <-- Not yet written, but planned Mitigating limitations found in Kerberos Kerberos is an all-or-nothing approach Kerberos is intended for single-user workstations The KDC is a single point of failure Kerberos Shortcomings Resources and further information New material, especialy w.r.t. DNS, admin services and ports, answer some of the more common questions that have popped up on the mailing lists since this chapter was originally written. Change Summary: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- * Reorganized as per the outline given above * New material in the NTP, DNS, kadmind, implementation and interoperability * Added indexterm tags to titles (up to sect3, unless a sect4 had a tag in it that might render weird) * Minor clean-up of all material and re-confirmed technical accuracy * Whitespace and indentation (I followed the 70 column guidelines that currently exist) * Spell checked I also confirmed that it will pass the build system, as the HTML link above will attest. This was actually a great way to find typos in SGML tags ;-) I didn't create a new "SSH and Kerberos" sub-section. I plan on doign so now that I have a workign setup to -- it's more complex than I thought. It'll have to be a separate patch and some point in the future. -T -- "Laughter is the sound that knowledge makes when it's born." -- David Weinberger, _The Hyperlinked Organization_
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041124174258.GA28061>