Contributed by Mark Murray <markm@FreeBSD.org> (based on contribution by ).
Kerberos ¬O¤@Óºô¸ôªþ¥[¨t²Î/¨ó©w¡A¥i¥H¤¹³\¥Î¤á³q¹L¤@Ó¦w¥þ¦øªA¾¹ªºªA°È¨ÓÅçÃÒ ¦Û¤v¡C¶H»·ºÝµn³°¡A»·ºÝ«þ¨©¡A¨t²Î¶¡ªº¬Û¤¬ÀÉ«þ¨©©M¥t¥~°ª·ÀI¥ô°ÈªºªA°È±N³QÅÜ ±o¬Û·í¦w¥þ©M¥i±±¨î¡C
¤U±ªº¤å³¹±N¥Î¨Ó«ü¾É¦p¦ó¬° FreeBSD ³]¸m Kerberos¡C¤]¥i¥H°Ñ¦Ò¬ÛÃöªº¤â¥U ÁA¸Ñ§ó¸Ô²Óªº»¡©ú¡C
¦b FreeBSD ¤¤¡AKerberos ¤£¬O¨Ó¦Û³Ìªìªº 4.4BSD-Lite¡A¦Ó¬O eBones¡A¨Ó¦Û©ó USA/Canada ¥H¥~ªº¦a°Ï¡A¨º¨Ç¨ü¨ì¬ü°ê¥[±K¥N½X¥X¤f¨îªº°ê®a´N¥i¥H¨Ï¥Î¥¦¡C
³o¥u¥i¥H¥Ñ Kerberos ¦øªA¾¹¨Ó°µ¡Cº¥ý½T©w¨S¦³Âªº Kerberos ¸ê®Æ®w¡C¥²¶·§ïÅÜ /etc/kerberosIV ªº¥Ø¿ý¡AµM«á¥uÀˬd¤U±¥X²{ªºÀÉ¡G
# cd /etc/kerberosIV
# ls
README krb.conf krb.realms¦pªG¥ô¦óÀÉ(¦p principal.* ©Î master_key)¦s¦b¡A¨º¨Ï¥Î kdb_destroy ©R¥O´N ¥i¥H¯}Ãaªº Kerberos ¸ê®Æ®w¡A©ÎªÌ¦pªG Kerberos ¤£¦b¹B¦æ¡A¥un§R°£¥t¥~ªºÀÉ¡C
²{¦b¥²¶·½s¿è krb.conf ©M krb.realms Àɨөw¸q Kerberos ³W«h¡C¦b³oÓ¨Ò¤l ¤¤¡A³W«h±N¬O GRONDAR.ZA¡A¦øªA¾¹¬O grunt.grondar.za¡C¥i¥H½s¿è©Î³Ð«Ø krb.conf ¤å¥ó¡G
# cat krb.conf
GRONDAR.ZA
GRONDAR.ZA grunt.grondar.za admin server
CS.BERKELEY.EDU okeeffe.berkeley.edu
ATHENA.MIT.EDU kerberos.mit.edu
ATHENA.MIT.EDU kerberos-1.mit.edu
ATHENA.MIT.EDU kerberos-2.mit.edu
ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.gov¦b³oÓ¨Ò¤l¤¤¡A¥t¥~³W«h¨S¦³¥X²{¡C¦b³o¨à§@¬°¤@Ó¾÷¾¹¦p¦óÀ³¥Î¦hºØ³W«hªº¨Ò¤l¡C ¥i¯à§Æ±æ¤£n²³æ¦a¥]¬A¡C
²Ä¤@¦æ©R¦W¤F³oÓ¨t²Î¤u§@ªº³W«h¡C¨ä¥L¦æ¥]§t¤F³W«h/¥D¾÷ªº°O¿ý¡C¨C¦æªº²Ä¤@¶µ´N ¬O¤@Ó³W«h¡A²Ä¤GÓ¬O¥R·í¤@Ó key distribution center ªº³W«h¤¤ªº¤@¥x¥D¾÷¡C±µ¦b¤@Ó ¥D¾÷¦W«á±ªººÞ²z¦øªA¾¹ªº©R¥O·N¨ýµÛ¥D¾÷¤]n´£¨Ñ¤@ÓºÞ²z¸ê®Æ®w¦øªA¾¹¡C§ó¦h¸ê°T¡A¥i ¥H°Ñ¦Ò Kerberos ªºÁp¾÷¤â¥U¡C
²{¦b¡A¥²¶·²K¥[ grunt.grondar.za ¨ì GRONDAR.ZA¡AµM«á²K¥[¤@Ó°O¿ý§â©Ò¦³¥D¾÷ ©ñ¦b .grondar.za °ì¤¤¡Ckrb.realms ÀɱN³Q¤É¯Å¡G
# cat krb.realms
grunt.grondar.za GRONDAR.ZA
.grondar.za GRONDAR.ZA
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDU¦b³o¨à§@¬°¤@Ó¨Ò¤l¨Ó«ü¥X¤@¥x¾÷¾¹¦p¦ó¥i¥Hª¾¹D¦hÓ»â°ì¡C¤]¥i¥H²³æ¦a§R°£¡C
²Ä¤@¦æ§â«ü©wªº¨t²Î©ñ¦b¤w©R¦Wªº°ì¤¤¡C¦æÅã¥Ü¤F¦p¦ó§â¤@Ó¯S®í¤l°ìªº¨t²ÎÀq»{ ³]¬°¤@Ó©R¦Wªº°ì¡C
²{¦b¤w¸g·Ç³Æ³Ð«Ø¸ê®Æ®w¡C³o±N»Ýn¹B¦æ Kerberos ¦øªA¾¹¡C°õ¦æ©R¥O kdb_init¡G
# kdb_init
Realm name [default ATHENA.MIT.EDU ]: GRONDAR.ZA
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter Kerberos master key: ²{¦b¥²¶·«O¦s±K°Í¡A¥H«K¥»¦a¾÷¾¹ªº¦øªA¾¹¯à°÷±o¨ì¥[³t¡C¨Ï¥Î kstash ©R¥O¡G
# kstash
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!³o«O¦s¥[±K¹Lªº¥D±K½X¦b /etc/kerberosIV/master_key¡C
¦³¨âÓ¥DnªºªF¦è»Ýn³Q²K¥[¨ìn¥Î Kerberos ½T«O¦w¥þªº¨CÓ¨t²Îªº¸ê®Æ®w¤¤¡C ¦WºÙ¬O kpasswd ©M rcmd¡C³o¨Çµ{¦¡¤¹³\¥t¥~¨t²Î§ïÅÜ Kerberos ªº±K½X¡AµM«á¶H rcp, rlogin ©M rsh ¤@¼Ë¹B¦æ©R¥O¡C
²{¦b¡A²K¥[³o¨Ç°O¿ý¡G
# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name: passwd
Instance: grunt
<Not found>, Create [y] ? y
Principal: passwd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ? y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
Principal name: rcmd
Instance: grunt
<Not found>, Create [y] ?
Principal: rcmd, Instance: grunt, kdc_key_ver: 1
New Password: <---- enter RANDOM here
Verifying password
New Password: <---- enter RANDOM here
Random password [y] ?
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exit²{¦b¥²¶·¤ÀªR¦b¨C¥x¾÷¾¹¤W©w¸qªºªA°Èªº©Ò¦³±¡ªp¡C¨Ï¥Î ext_srvtab ©R¥O¡C ³o±N³Ð«Ø¤@ÓÀÉ¡A¥²¶·³q¹L¦w¥þ¤è¦¡³Q«þ¨©©Î²¾°Ê¨ì¨CÓ Kerberos ¥Î¤áºÝªº /etc/kerberosIV ¥Ø¿ý¡C³oÓÀÉ¥²¶·¦b¨CÓ¦øªA¾¹©M«È¤á¾÷¤W¥X²{¡A³o¹ï Kerberos ªº¾Þ §@¬O«Ü«nªº¡C
# ext_srvtab grunt
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Generating 'grunt-new-srvtab'....²{¦b¡A³oÓ©R¥O¥u²£¥Í¤@ӼȦsÀɮסA¥²¶·³Q«©R¦W¬° srvtab¡A¥H«K©Ò¦³ªºªA°È¥i ¥H±o¨ì¥[³t¡C¨Ï¥Î mv ©R¥O²¾¨ì³Ìªìªº¨t²Î¤W¡G
# mv grunt-new-srvtab srvtab
¦pªGÀɬO°w¹ï«È¤á¨t²Îªº¡A¨ººô¸ô¥i¯à´N·|¤£¦w¥þ¡A«þ¨© client-new-srvtab ¨ì¥i©â ¨ú¦¡³]³Æ¤W¡AµM«á³q¹L¦w¥þªºª«²z¤è¦¡¶i¦æ¶Ç¿é¡C½T«H¦b«È¤á¾÷ªº /etc/kerberosIV ¥Ø¿ý¤¤ §â¥¦«©R¦W¬°srvtab¡A½T©w¥¦¬Omode 600¡G
# mv grumble-new-srvtab srvtab
# chmod 600 srvtab²{¦b²K¥[¤@¨Ç¥Î¤á°O¿ý¨ì¸ê®Æ®w¡Cº¥ý¡AÅý¥Î¤á jane ³Ð«Ø¤@Ó°O¿ý¡C¨Ï¥Î kdb_edit ©R¥O¨Ó§¹¦¨¡G
# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name: jane
Instance:
<Not found>, Create [y] ? y
Principal: jane, Instance: , kdc_key_ver: 1
New Password: <---- enter a secure password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exitº¥ý¥²¶·±Ò°Ê Kerberos ¦uÅ@µ{¦¡¡Cª`·N¦pªG¨S¦³¥¿½T¦a½s¿è /etc/rc.conf ÀÉ¡A¨º³o±N¦b«±Ò¨t²Îªº®ÉԦ۰ʵo¥Í¡C³o¥u¦³¦b Kerberos ¦øªA¾¹¤W¬O¥²¶·ªº¡C Kerberos «È¤á¾÷±N±q /etc/kerberosIV ¥Ø¿ý¦Û°ÊÀò±o©Ò»Ýnªº¡C
# kerberos &
Kerberos server starting
Sleep forever on error
Log file is /var/log/kerberos.log
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Current Kerberos master key version is 1
Local realm: GRONDAR.ZA
# kadmind -n &
KADM Server KADM0.0A initializing
Please do not use 'kill -9' to kill this job, use a
regular kill instead
Current Kerberos master key version is 1.
Master key entered. BEWARE!²{¦b¡A¥i¥H¨Ï¥Î©R¥O kinit ±o¨ì¤@Ó id ¬° jane ªº"¤J³õ¨é"¡G
% kinit jane
MIT Project Athena (grunt.grondar.za)
Kerberos Initialization for "jane"
Password: ¦pªG¯uªº¦³¡A¨Ï¥Î klist ³]ªk¦C¥X°O¸¹¡G
% klist
Ticket file: /tmp/tkt245
Principal: jane@GRONDAR.ZA
Issued Expires Principal
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.GRONDAR.ZA@GRONDAR.ZA²{¦b¡A¦pªG kpasswd µ{¦¡¥i¥H±o¨ì¸ê®Æ®wªºÅçÃÒ¡A¥i¥H¨Ï¥Î passwd ¨ÓÀˬd¥¿¦bק諸 ±K½X¡G
% passwd
realm GRONDAR.ZA
Old password for jane:
New Password for jane:
Verifying password
New Password for jane:
Password changed.Kerberos ¤¹³\µ¹¨CÓ»Ýn root ³\¥iÅvªº¥Î¤á¤ÀÂ÷ supassword¡C²{¦b ¥i¥H²K¥[¤@Ó³Q¥Î¨ÓÅçÃÒ su ¨ì root ªº id¡C¨Ï¥Î kdb_edit¡A¥i¥H¦b Kerberos ¸ê®Æ®w¤¤ ³Ð«Ø¤@Ó°O¿ý jane.root¡G
# kdb_edit
Opening database...
Enter Kerberos master key:
Current Kerberos master key version is 1.
Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.
Principal name: jane
Instance: root
<Not found>, Create [y] ? y
Principal: jane, Instance: root, kdc_key_ver: 1
New Password: <---- enter a SECURE password here
Verifying password
New Password: <---- re-enter the password here
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?
Max ticket lifetime (*5 minutes) [ 255 ] ? 12 <--- Keep this short!
Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exit²{¦b³]ªkÀò±o¤@¨Ç°O¸¹¨Ó½T©w¦b°µ¤°»ò¡G
# kinit jane.root
MIT Project Athena (grunt.grondar.za)
Kerberos Initialization for "jane.root"
Password:²{¦b¡A¥²¶·²K¥[¥Î¤á¨ì root ªº .klogin ¤å¥ó¡G
# cat /root/.klogin
jane.root@GRONDAR.ZA²{¦b³]ªk°õ¦æ su:
% su
Password:¬Ý¬Ý¦³¨Ç¤°»ò²Å¸¹¡G
# klist
Ticket file: /tmp/tkt_root_245
Principal: jane.root@GRONDAR.ZA
Issued Expires Principal
May 2 20:43:12 May 3 04:43:12 krbtgt.GRONDAR.ZA@GRONDAR.ZA¦b¤@Ó¦´Áªº¨Ò¤l¤¤¡A³Ð«Ø¤F¤@Ó¥s°µ jane ªº¥Î¤á§@¬°¤@Ó root¡C³oùØ´N¥H³oÓ ¥Î¤á¬°¨Ò¡A³o¬O Kerberos Àq»{ªº¡F¦pªG¥²¶·ªº°O¿ý¦b .klogin Àɤ¤¡A¨º§Î¦¡ .root ªº.±N¤¹³\ su ¨ìroot¡G
# cat /root/.klogin
jane.root@GRONDAR.ZA¦P¼Ëªº¡A¦pªG¤@ӥΤá¤w¦b¦Û¤vªº home ¥Ø¿ý¦æ¤¤¡G
% cat ~/.klogin
jane@GRONDAR.ZA
jack@GRONDAR.ZA³o¤¹³\¦b GRONDAR.ZA ¤¤ªº¤w³q¹L jane ©Î jack ÅçÃÒªº¥ô¦ó¤H³q¹L rlogin, rsh ©Î rcp ³X°Ý¨Ãµn³°¨ì jane ªº¦b³oÓ¨t²Î¤Wªº±b¤á©ÎÀÉ¡C
¨Ò¦p¡Ajane ²{¦bµn³°¶i¥t¤@Ó¨t²Î¡A¨Ï¥Î Kerberos¡G
% kinit
MIT Project Athena (grunt.grondar.za)
Password:
%prompt.user; rlogin grunt
Last login: Mon May 1 21:14:47 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995©ÎªÌ jack µn³°¶i¦b¦P¤@¾÷¾¹¤Wªº jane ªº±b¤á¡C
% kinit
% rlogin grunt -l jane
MIT Project Athena (grunt.grondar.za)
Password:
Last login: Mon May 1 21:16:55 from grumble
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995