Indiana University
University Information Technology Services
  
What are archived documents?

At IU, how do I set up a Unix computer as a Kerberized application server?

In Kerberos, an application server is a server that supports Kerberized access via several common Internet protocols, such as telnet or rlogin. With a Kerberized client, you can connect to an application server securely; your password will not be passed over the network, and you can also encrypt your session.

Note: Because UITS does not recommend that novices attempt to set up an application server, this document assumes that you are comfortable with Unix. Also, these instructions are for Kerberos 5 only.

To set up a Unix computer as a Kerberized application server at Indiana University:

  1. Download the latest version of Kerberos, available from MIT at: http://web.mit.edu/kerberos/www/

    Click the link for the latest Kerberos release, and then read the instructions on how to retrieve the Kerberos source.

  2. The source will be packaged in a tar archive. Enclosed in this file will be the Kerberos distribution and its PGP signature. The distribution will be a tar archive compressed with GNU Zip.

  3. Decompress and unpack the distribution files. This will create a directory called krb5-[version], where [version] is the patch level of the distribution (e.g., 1.2.5).

  4. Instructions on how to install Kerberos are available in the doc directory (located in the top level distribution directory). The installation guide is available in several formats, including HTML and PostScript.

    When you get to the ./configure step, use the --without-krb4 option to disable building Kerberos 4 compatibility code. At IU, this code is useless, and it has contained security vulnerabilities in the past. Your command line should look like this:

    ./configure --without-krb4
  5. You will need to create both a /etc/krb5.conf file and a /etc/krb5.keytab file. You may get a working copy of the /etc/krb5.conf file from: http://itso.iu.edu/krb5.conf To get a keytab file, contact the Information Technology Security Office (ITSO) via email at  kerberos-admin@iu.edu . Include your computer's fully qualified hostname and a description of the application service you want to Kerberize (e.g., SSH, IMAP, logging into your workstation). If you are configuring an Apache virtual host to use mod_auth_kerb, include the fully qualified name of the virtual host (for information about configuring mod_auth_kerb, see At IU, how can I configure Apache to use mod_auth_kerb for authentication?).

  6. To set up application services, read the installation guide. The two files you will likely need to edit are /etc/services and /etc/inetd.conf. For information about how the Kerberized clients included with the distribution work, see the user guide, which is available in the same directory as the installation guide.
This is document ahkb in domain all.
Last modified on January 29, 2008.
Please tell us, did you find the answer to your question?