MIT Kerberos for Debian Kerberos Package Roadmap Most systems using Kerberos should install at least krb5-user, which contains the basic kinit, klist, and kdestroy binaries to manage user Kerberos credentials, as well as other basic utilities. In order to use Kerberos passwords for local authentication and obtain Kerberos credentials automatically when logging in, install and configure libpam-krb5. To log on to other systems using Kerberos authentication, most sites will find a Kerberos-enabled sshd the most convenient. Either the openssh-client and openssh-server packages version 1:4.2p1-2 or later (preferrable) or openssh-krb5 (for older Debian releases) will work. See the ssh documentation for information on enabling GSSAPI authentication (which is how Kerberos authentication is done over the ssh protocol). Some sites will instead prefer to use Kerberos-enabled versions of the standard Unix login utilities (rsh, rlogin, telnet, ftp). The clients are available in the krb5-clients package and the servers are available in the krb5-rsh-server, krb5-telnetd, and krb5-ftpd packages. Please note that the telnetd and ftpd included in those packages do not use PAM (this is not supported upstream and may or may not ever be supported); they only support Kerberos and will not run other PAM modules. For more flexible login support, use Kerberos-enabled ssh instead. The krb5-kdc and krb5-admin-server packages are only needed and used on Kerberos KDCs, only one set of which is needed for each independently managed Kerberos realm. For more information on how to set up a Kerberos realm using the Debian packages, install krb5-kdc and then read /usr/share/doc/krb5-kdc/README.KDC. Documentation All Kerberos binaries and most configuration files have manual pages. For the info pages and reference manual, install krb5-doc. If you need additional information, see . Debian-Specific Information MIT distributes the Kerberos sources as a tarball and a PGP signature, tarred up into a single .tar file. In order to create the Debian original upstream source (.orig.tar.gz), I untarred the parent tarball, checked the PGP signature, and used the contained tarball as the upstream source. MIT Kerberos is built against the libcom_err and libss provided by the e2fsprogs source package. It is built against the version of db included in src/util/db2 in the Kerberos sources. In the future, krb5-kdc may change to use db4, although doing so will make upgrades somewhat difficult. None of the sample clients and servers are installed. As a general rule, these are not useful unless you are doing development, and in such a situation you probably want to build them from source. Note that by default, no unencrypted services are enabled. That means, if you are using krb5-clients and the supporting server packages, you need to use rlogin -x to connect to a Debian system and if you use rsh or rcp without the -x option you will get an error that encryption is required. In this day and age, not encrypting network traffic is a good way to get attacked. If installed, krb5-rsh-server by default allows any user in the local realm whose principal matches a local account name to log on to that account. See the klogind and kshd man pages. If this isn't the behavior you want, one option is to create an empty .k5login file in the home directory of every user and then add principals to those files where it's appropriate. One way to do this for all newly created users is: touch /etc/skel/.k5login This will cause an empty .k5login file to be put in the home directory of newly created users. krb524 AFS Conversion The following section is only of use to Kerberos users who also use the AFS distributed file system. An alternate conversion is provided for AFS servers that support the encrypted part of a krb5 ticket as an AFS token. If krb524d is converting a principal whose first component is afs and if the encrypted part of the ticket fits in 344 bytes, then it will default to simply returning the encrypted part of the ticket as a token. If it turns out that the AFS server does not support the ticket, then users will get an unknown key version error and the krb524d must be configured to use v4 tickets for this AFS service. The krb524d looks in the appdefaults section of krb5.conf for an application called afs_krb5 to determine whether AFS principals support encrypted ticket parts as tokens. The following configuration fragment says that afs/sipb.mit.edu@ATHENA.MIT.EDU supports the new token format but afs@ATHENA.MIT.EDU and afs/athena.mit.edu@ATHENA.MIT.EDU do not. Note that the default is to assume afs servers support the new format. [appdefaults] afs_krb5 = { ATHENA.MIT.EDU = { # This stanza describes principals in the ATHENA.MIT.EDU realm afs = false afs/athena.mit.edu = false afs/sipb.mit.edu = true } } -- Russ Allbery , Fri Dec 2 21:05:05 2005