Domain hosting, buy domain names & web page promotion services
  

 Home
Red Hat Linux 8.0: The Official Red Hat Linux Reference Guide
PrevChapter 10. KerberosNext

Configuring a Kerberos 5 Client

Setting up a Kerberos 5 client is less involved than setting up a server. At minimum, install the client packages and provide each client with a valid krb5.conf configuration file. Kerberized versions of rsh and rlogin will also require some configuration changes.

  1. Be sure that you have time synchronization in place between the Kerberos client and KDC. See the Section called Configuring a Kerberos 5 Server for more information. In addition, verify that DNS is working properly on the Kerberos client before configuring the Kerberos client programs.

  2. Install the krb5-libs and krb5-workstation packages on all of the client machines. You must supply a version of /etc/krb5.conf for each client; usually this can be the same krb5.conf used by the KDC.

  3. Before a workstation in the realm can allow users to connect using kerberized rsh and rlogin, that workstation will need to have the xinetd package installed and have its own host principal in the Kerberos database. The kshd and klogind server programs will also need access to the keys for their service's principal.

    Using kadmin, add a host principal for the workstation on the KDC. The instance in this case will be the hostname of the workstation. You can use the -randkey option to kadmin's addprinc command on the KDC to create the principal and assign it a random key: 

    addprinc -randkey host/blah.example.com

    Now that you have created the principal, you can extract the keys for the workstation by running kadmin on the workstation itself, and using the ktadd command within kadmin:

    ktadd -k /etc/krb5.keytab host/blah.example.com

    In order to use the kerberized versions of rsh and rlogin, you must enable klogin, eklogin, and kshell. [1]

  4. Other kerberized network services will need to be started. To use kerberized telnet, you must enable krb5-telnet.

    To provide FTP access, create and extract a key for a principal with a root of ftp, with the instance set to the hostname of the FTP server. Then enable gssftp.

    The IMAP server included in the imap package will use GSS-API authentication using Kerberos 5 if it finds the proper key in /etc/krb5.keytab. The root for the principal should be imap. The CVS gserver uses a principal with a root of cvs and is otherwise identical to a pserver.

Notes

[1]

Refer to the chapter titled Controlling Access to Services in the Official Red Hat Linux Customization Guide for details on enabling services.

PrevHomeNext
Configuring a Kerberos 5 ServerUpAdditional Resources
 

 

 

 

Buy domain name by 895cheap-domain.com |  Web site ranking and promotion 

Disclaimer: For authoritative source or latest update to this documentation, please refer to http://www.redhat.com/docs/manuals/linux/

 
Quotes: We are long before we are convinced that happiness is never to be found, and each believes it possessed by others, to keep alive the hope of obtaining it for himself.