krb5: Update to 1.21.1 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
commit	0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
tree	e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/admin/install_appl_srv.html
parent	b0e4d68d5124581ae353493d69bea352de4cff8a (diff)

vendor/krb5/1.21.1

Diffstat (limited to 'doc/html/admin/install_appl_srv.html')

-rw-r--r--

doc/html/admin/install_appl_srv.html

1 files changed, 39 insertions, 43 deletions

diff --git a/doc/html/admin/install_appl_srv.html b/doc/html/admin/install_appl_srv.html
index 753e53d0f1cb..ba75eae8a2ea 100644
--- a/doc/html/admin/install_appl_srv.html
+++ b/doc/html/admin/install_appl_srv.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>UNIX Application Servers — MIT Kerberos Documentation</title>

+ <title>UNIX Application Servers — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="Installation guide" href="install.html" />

</head>

@@ -61,61 +59,56 @@

- <div class="body">

+ <div class="body" role="main">

<h1>UNIX Application Servers<a class="headerlink" href="#unix-application-servers" title="Permalink to this headline">¶</a></h1>

An application server is a host that provides one or more services

-over the network. Application servers can be “secure” or “insecure.”

-A “secure” host is set up to require authentication from every client

-connecting to it. An “insecure” host will still provide Kerberos

+over the network. Application servers can be “secure” or “insecure.”

+A “secure” host is set up to require authentication from every client

+connecting to it. An “insecure” host will still provide Kerberos

authentication, but will also allow unauthenticated clients to

connect.

If you have Kerberos V5 installed on all of your client machines, MIT

recommends that you make your hosts secure, to take advantage of the

security that Kerberos authentication affords. However, if you have

some clients that do not have Kerberos V5 installed, you can run an

-insecure server, and still take advantage of Kerberos V5’s single

+insecure server, and still take advantage of Kerberos V5’s single

sign-on capability.

<h2>The keytab file<a class="headerlink" href="#the-keytab-file" title="Permalink to this headline">¶</a></h2>

All Kerberos server machines need a keytab file to authenticate to the

-KDC. By default on UNIX-like systems this file is named <a class="reference internal" href="../mitK5defaults.html#paths">DEFKTNAME</a>.

-The keytab file is an local copy of the host’s key. The keytab file

+KDC. By default on UNIX-like systems this file is named <a class="reference internal" href="../mitK5defaults.html#paths">DEFKTNAME</a>.

+The keytab file is an local copy of the host’s key. The keytab file

is a potential point of entry for a break-in, and if compromised,

would allow unrestricted access to its host. The keytab file should

-be readable only by root, and should exist only on the machine’s local

+be readable only by root, and should exist only on the machine’s local

disk. The file should not be part of any backup of the machine,

unless access to the backup data is secured as tightly as access to

-the machine’s root password.

+the machine’s root password.

In order to generate a keytab for a host, the host must have a

principal in the Kerberos database. The procedure for adding hosts to

-the database is described fully in <a class="reference internal" href="database.html#add-mod-del-princs">Adding, modifying and deleting principals</a>. (See

-<a class="reference internal" href="install_kdc.html#slave-host-key">Create host keytabs for slave KDCs</a> for a brief description.) The keytab is

-generated by running <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1">kadmin</a> and issuing the <a class="reference internal" href="admin_commands/kadmin_local.html#ktadd">ktadd</a>

+the database is described fully in <a class="reference internal" href="database.html#principals">Principals</a>. (See

+<a class="reference internal" href="install_kdc.html#replica-host-key">Create host keytabs for replica KDCs</a> for a brief description.) The keytab is

+generated by running <a class="reference internal" href="admin_commands/kadmin_local.html#kadmin-1">kadmin</a> and issuing the <a class="reference internal" href="admin_commands/kadmin_local.html#ktadd">ktadd</a>

command.

For example, to generate a keytab file to allow the host

-<tt class="docutils literal">trillium.mit.edu</tt> to authenticate for the services host, ftp, and

-pop, the administrator <tt class="docutils literal">joeadmin</tt> would issue the command (on

-<tt class="docutils literal">trillium.mit.edu</tt>):

-<div class="highlight-python"><div class="highlight"><pre>trillium% kadmin

-kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu

- pop/trillium.mit.edu

-kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with

- kvno 3, encryption type DES-CBC-CRC added to keytab

- FILE:/etc/krb5.keytab.

-kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with

- kvno 3, encryption type DES-CBC-CRC added to keytab

- FILE:/etc/krb5.keytab.

-kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with

- kvno 3, encryption type DES-CBC-CRC added to keytab

- FILE:/etc/krb5.keytab.

-kadmin5: quit

-trillium%

+<code class="docutils literal">trillium.mit.edu</code> to authenticate for the services host, ftp, and

+pop, the administrator <code class="docutils literal">joeadmin</code> would issue the command (on

+<code class="docutils literal">trillium.mit.edu</code>):

+<div class="highlight-default"><div class="highlight"><pre>trillium% kadmin

+Authenticating as principal root/admin@ATHENA.MIT.EDU with password.

+Password for root/admin@ATHENA.MIT.EDU:

+kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu

+Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.

+kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.

+kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab.

+kadmin: quit

+trillium%

</pre></div>

</div>

If you generate the keytab file on another host, you need to get a

-copy of the keytab file onto the destination host (<tt class="docutils literal">trillium</tt>, in

+copy of the keytab file onto the destination host (<code class="docutils literal">trillium</code>, in

the above example) without sending it unencrypted over the network.

</div>

@@ -127,7 +120,7 @@ place to try to include an exhaustive list of countermeasures for

every possible attack, but it is worth noting some of the larger holes

and how to close them.

We recommend that backups of secure machines exclude the keytab file

-(<a class="reference internal" href="../mitK5defaults.html#paths">DEFKTNAME</a>). If this is not possible, the backups should at least be

+(<a class="reference internal" href="../mitK5defaults.html#paths">DEFKTNAME</a>). If this is not possible, the backups should at least be

done locally, rather than over a network, and the backup tapes should

be physically secured.

The keytab file and any programs run by root, including the Kerberos

@@ -159,12 +152,13 @@ readable only by root.

<li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current">

<li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li>

<li class="toctree-l3"><a class="reference internal" href="install_clients.html">Installing and configuring UNIX client machines</a></li>

-<li class="toctree-l3 current"><a class="current reference internal" href="">UNIX Application Servers</a></li>

+<li class="toctree-l3 current"><a class="current reference internal" href="#">UNIX Application Servers</a></li>

</ul>

</li>

<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>

<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>

<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>

+<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>

<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>

<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>

<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>

@@ -172,6 +166,8 @@ readable only by root.

<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li>

<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>

<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>

+<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>

+<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li>

<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>

<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>

<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>

@@ -211,8 +207,8 @@ readable only by root.

- <div class="right" >Release: 1.16

+ <div class="right" >Release: 1.21.1

</div>