Now generated.
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@1840 ec53bebd-3082-4978-b11e-865c3cabbd6b
This commit is contained in:
Johan Danielsson
@@ -1,74 +0,0 @@
|
||||
----------------------------------------------------------
|
||||
| NOTE: This code might not work as expected, especially |
|
||||
| when used with C2 (aka ENHANCED) security. |
|
||||
----------------------------------------------------------
|
||||
|
||||
This is an attempt at a SIA module for Kerberos. To install this you
|
||||
will have to do the following:
|
||||
|
||||
* Make sure libsia_krb4.so is available in /usr/athena/lib. If
|
||||
/usr/athena is not on local disk, you might want to put it in
|
||||
/usr/shlib or someplace else. If you do, you'll have to edit
|
||||
krb4_matrix.conf to reflect the new location.
|
||||
|
||||
* Copy (your possibly edited) krb4_matrix.conf to /etc/sia.
|
||||
|
||||
* Apply security.patch to /sbin/init.d/security
|
||||
|
||||
* Turn on krb4 security by issuing `rcmgr set SECURITY KRB4' and
|
||||
`rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf'
|
||||
|
||||
* Digital thinks you should reboot your machine, but that really
|
||||
shouldn't be necessary. It's usually sufficient just to run
|
||||
/sbin/init.d/security
|
||||
|
||||
Users with local passwords (like root) should be able to login safely.
|
||||
|
||||
When using Digital's xdm the KRBTKFILE environment variable doesn't
|
||||
get passed along (since xdm zaps the environment). Instead you have to
|
||||
set KRBTKFILE to the correct value in /usr/lib/X11/xdm/Xsession. Add a
|
||||
line similar to
|
||||
|
||||
KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE
|
||||
|
||||
There is currently no support for changing kerberos passwords. Use
|
||||
kpasswd instead.
|
||||
|
||||
NOTES to users with ENHANCED security
|
||||
-------------------------------------
|
||||
|
||||
Digital's ENHANCED (C2) security, and Kerberos solves two different
|
||||
problems. C2 deals with local security, and adds better control of who
|
||||
can do what, and adds auditing and similar things. Kerberos deals with
|
||||
network security.
|
||||
|
||||
The C2 compatibility has not been extensively tested, simply because I
|
||||
don't use C2. To make C2 security work with Kerberos you will have to
|
||||
do the following.
|
||||
|
||||
* Replace `krb4_matrix.conf' with `krb4+c2_matrix.conf' in the above
|
||||
directions.
|
||||
|
||||
* You must enable `vouching' in the `default' database. This will
|
||||
make C2 trust other SIA modules, so you can login without giving
|
||||
your C2 password. To do this use `edauth' to edit the default entry
|
||||
`/usr/tcb/bin/edauth -dd default', and add a
|
||||
`d_accept_alternate_vouching' capability, if not already present.
|
||||
|
||||
* For each user that does *not* have a C2 password, you should set the
|
||||
password expiration field to zero. You can do this for each user, or
|
||||
in the `default' table. To to this use `edauth' to set (or change)
|
||||
the `u_exp' capability to `u_exp#0'.
|
||||
|
||||
* (optional) Change the entry for telnet in `/etc/inetd.conf' to
|
||||
explicitly use Digital's login program. You can do this by adding
|
||||
`-L /bin/login' at the end of the line. This way users with local
|
||||
passwords will get warnings about expiring passwords and such.
|
||||
|
||||
REMEMBER, if you do these changes you will get a system that most
|
||||
certainly does *not* fulfill the requirements of a C2 system. If C2 is
|
||||
what you want, for instance if someone else is forcing you to use it,
|
||||
you're out of luck. If you use ENHANCED security because you want a
|
||||
system that is more secure than it would otherwise be, you probably
|
||||
got an even more secure system. Passwords will not be sent in the
|
||||
clear, for instance.
|
||||
Reference in New Issue
Block a user