Secure Unix LAN (NIS and Kerberized NFSv4)

Kerberos Server

by ross at 09:15:40 on November 1, 2016

Add to /etc/rc.conf:

# Enable Kerberos server
kdc_enable="YES"
kadmind_enable="YES"
kpasswdd_enable="YES"

Create /etc/krb5.conf:

[appdefaults]
    pam = {
        ticket_lifetime = 1d
        default_lifetime = 1d
        renew_lifetime = 1d
    }
[libdefaults]
    default_realm = LAN
    ticket_lifetime = 1d
    default_lifetime = 1d
    renew_lifetime = 1d
[domain_realm]
    .lan = LAN
[realms]
    LAN = {
        kdc = coffin.lan
        admin_server = coffin.lan
        kpasswd_server = coffin.lan
        default_domain = lan
    }

Create master key:

# kstash
Master key:
Verifying - Master key:
kstash: writing key to `/var/heimdal/m-key'

Initialize the database:

# kadmin -l                                                                             [11:31:56]
kadmin> init LAN
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin> modify --max-ticket-life=3d default
kadmin> add root/admin
Max ticket life [3 days]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
root/[email protected]'s Password: 
Verifying - root/[email protected]'s Password: 
kadmin> add --random-key host/coffin.lan
Max ticket life [3 days]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
kadmin> ext host/coffin.lan

Now add the users from your NIS master.passwd:

kadmin> add user1
Max ticket life [3 days]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
[email protected]'s Password: 
Verifying - [email protected]'s Password: 
Repeat for every existing NIS user...

Create ACL file:  /var/heimdal/kadmind.acl

root/[email protected]          all
*                       change-password

Start the daemons:

# service kerberos start
# service kadmind start
# service kpasswdd start

 

Comments