[RFC] Kerberos5 chapter re-write
Tillman Hodgson
tillman at seekingfire.com
Wed Nov 24 17:43:01 UTC 2004
For the impatient:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The patch is at http://www.seekingfire.com/patches/kerberos5.patch
I have an HTML-rendered version of it up at
http://www.seekingfire.com/freebsd-doc/kerberos5.html
I'm looking for peer review and technical feedback :-)
[Note that the recent discussion about moving Security sub-chapters
around has nothing to do with this patch: it assumes that Kerberos5 has
not moved.]
The Plan:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
The current layout looks like this:
(Intro)
History
Setting up a Heimdal KDC
Kerberos enabling a server with Heimdal services
Kerberos enabling a client with Heimdal
User configuration files: .k5login and .k5users
Kerberos tips, tricks, and troubleshooting
Differences with the MIT port
Mitigating limitations found in Kerberos
Kerberos is an all-or-nothing approach
Kerberos is intended for single-user workstations
The KDC is a single point of failure
Kerberos Shortcomings
Resources and further information
My proposed layout (with more nesting for better organization):
(Intro)
Setting up Kerberos
Setting up related services
Setting up related services
Setting up related services
Setting up the Heimdal Key Distribution Center
Configuring /etc/rc.conf
Configuring /etc/krb5.conf
Creating the initial Kerberos database
Setting up the Heimdal administrative service
Configuring /etc/rc.conf
Configuring kadmind access control lists
Starting and testing the kadmind service
Kerberos enabling a server with Heimdal services
Configuring /etc/krb5.conf
Configuring /etc/krb5.keytab
Configuring /etc/inetd.conf
Setting up a Heimdal client
Configuring /etc/krb5.conf
Customizing user configuration files: .k5login and .k5users
Kerberos testing and troubleshooting
Troubleshooting procedure
Troubleshooting tips
Kerberos ports: MIT and Heimdal
Kerberos Implementations
Implementation interoperability
Using Kerberos with OpenSSH <-- Not yet written, but planned
Mitigating limitations found in Kerberos
Kerberos is an all-or-nothing approach
Kerberos is intended for single-user workstations
The KDC is a single point of failure
Kerberos Shortcomings
Resources and further information
New material, especialy w.r.t. DNS, admin services and ports, answer
some of the more common questions that have popped up on the mailing
lists since this chapter was originally written.
Change Summary:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
* Reorganized as per the outline given above
* New material in the NTP, DNS, kadmind, implementation and
interoperability
* Added indexterm tags to titles (up to sect3, unless a sect4 had a tag
in it that might render weird)
* Minor clean-up of all material and re-confirmed technical accuracy
* Whitespace and indentation (I followed the 70 column guidelines that
currently exist)
* Spell checked
I also confirmed that it will pass the build system, as the HTML link
above will attest. This was actually a great way to find typos in SGML
tags ;-)
I didn't create a new "SSH and Kerberos" sub-section. I plan on doign so
now that I have a workign setup to -- it's more
complex than I thought. It'll have to be a separate patch and some point
in the future.
-T
--
"Laughter is the sound that knowledge makes when it's born."
-- David Weinberger, _The Hyperlinked Organization_
More information about the freebsd-doc
mailing list