1 @node Installing programs, How to set up a realm, What is Kerberos?, Top
2 @chapter Installing programs
4 You have a choise to either build the distribution from source code or
5 to install binaries, if they are available for your machine.
9 We recommend building from sources, but using pre-compiled binaries
10 might be easier. If there are no binaries available for your machine or
11 you want to do some specific configuration, you will have to compile
15 * Installing from source::
16 * Installing a binary distribution::
17 * Finishing the installation::
19 * Authentication modules::
22 @node Installing from source, Installing a binary distribution, Installing programs, Installing programs
23 @comment node-name, next, previous, up
24 @section Installing from source
26 To build this software un-tar the distribution and run the
27 @code{configure} script.
29 To compile successfully, you will need an ANSI C compiler, such as
30 @code{gcc}. Other compilers might also work, but setting the ``ANSI
31 compliance'' too high, might break in parts of the code, not to mention
32 the standard include files.
34 To build in a separate build tree, run @code{configure} in the directory
35 where the tree should reside. You will need a Make that understands
36 VPATH correctly. GNU Make works fine.
38 After building everything (which will take anywhere from a few minutes
39 to a long time), you can install everything in @file{/usr/athena} with
40 @kbd{make install} (running as root). It is possible to install in some
41 other place, but it isn't recommended. To do this you will have to run
42 @code{configure} with @samp{--prefix=/my/path}.
44 If you need to change the default behavior, configure understands the
48 @item @kbd{--enable-shared}
49 Create shared versions of the Kerberos libraries. Not really
50 recommended and might not work on all systems.
52 @item @kbd{--with-ld-flags=}@var{flags}
53 This allows you to specify which extra flags to pass to @code{ld}. Since
54 this @emph{overrides} any choices made by configure, you should only use
55 this if you know what you are doing.
57 @item @kbd{--with-cracklib=}@var{dir}
58 Use cracklib for password quality control in
60 @code{kadmind}. This option requires
62 cracklib with the patch from
63 @url{ftp://ftp.pdc.kth.se/pub/krb/src/cracklib.patch}.
65 @item @kbd{--with-dictpath=}@var{dictpath}
66 This is the dictionary that cracklib should use.
68 @item @kbd{--with-socks=}@var{dir}
71 If you have to traverse a firewall and it uses the SocksV5 protocol
72 (@cite{RFC 1928}), you can build with socks-support. Point @var{dir} to
73 the directory where you have socks5 installed. For more information
74 about socks see @url{http://www.socks.nec.com/}.
76 @item @kbd{--with-readline=}@var{dir}
78 To enable history/line editing in @code{ftp} and @code{kadmin}, any
79 present version of readline will be used. If you have readline
80 installed but in a place where configure does not manage to find it,
81 you can use this option. The code also looks for @code{libedit}. If
82 there is no library at all, the bundled version of @code{editline} will
85 @item @kbd{--with-mailspool=}@var{dir}
86 The configuration process tries to determine where your machine stores
87 its incoming mail. This is typically @file{/usr/spool/mail} or
88 @file{/var/mail}. If it does not work or you store your mail in some
89 unusual directory, this option can be used to specify where the mail
90 spool directory is located. This directory is only accessed by
92 @code{popper}, and the mail check in
96 @item @kbd{--with-hesiod=}@var{dir}
98 Enable the Hesiod support in
100 @code{push}. With this option, it will try
101 to use the hesiod library to locate the mail post-office for the user.
103 @c @item @kbd{--enable-random-mkey}
104 @c Do not use this option unless you think you know what you are doing.
106 @item @kbd{--with-mkey=}@var{file}
107 Put the master key here, the default is @file{/.k}.
109 @item @kbd{--with-db-dir=}@var{dir}
110 Where the kerberos database should be stored. The default is
111 @file{/var/kerberos}.
113 @item @kbd{--without-berkeley-db}
116 Berkeley DB installed, it is preferred over
118 dbm. If you already are running Kerberos this option might be useful,
119 since there currently isn't an easy way to convert a dbm database to a
120 db one (you have to dump the old database and then load it with the new
123 @item @kbd{--without-afs-support}
124 Do not include AFS support.
126 @item @kbd{--with-afsws=}@var{dir}
127 Where your AFS client installation resides. The default is
130 @item @kbd{--enable-rxkad}
131 Build the rxkad library. Normally automatically included if there is AFS.
133 @item @kbd{--disable-dynamic-afs}
134 The AFS support in AIX consists of a shared library that is loaded at
135 runtime. This option disables this, and links with static system
136 calls. Doing this will make the built binaries crash on a machine that
137 doesn't have AFS in the kernel (for instance if the AFS module fails to
140 @item @kbd{--with-mips-api=}@var{api}
141 This option enables creation of different types of binaries on Irix.
142 The allowed values are @kbd{32}, @kbd{n32}, and @kbd{64}.
144 @item @kbd{--enable-legacy-kdestroy}
145 This compile-time option creates a @code{kdestroy} that does not destroy
148 @item @kbd{--disable-otp}
149 Do not build the OTP (@pxref{One-Time Passwords}) library and programs,
150 and do not include OTP support in the application programs.
152 @item @kbd{--enable-match-subdomains}
153 Normally, the host @samp{host.domain} will be considered to be part of
154 the realm @samp{DOMAIN}. With this option will also enable hosts of the
155 form @samp{host.sub.domain}, @samp{host.sub1.sub2.domain}, and so on to
156 be considered part of the realm @samp{DOMAIN}.
158 @item @kbd{--enable-osfc2}
159 Enable the use of enhanced C2 security on OSF/1. @xref{Digital SIA}.
161 @item @kbd{--disable-mmap}
162 Do not use the mmap system call. Normally, configure detects if there
163 is a working mmap and it is only used if there is one. Only try this
164 option if it fails to work anyhow.
166 @item @kbd{--disable-cat-manpages}
167 Do not install preformatted man pages.
169 @c --with-des-quad-checksum
173 @node Installing a binary distribution, Finishing the installation, Installing from source, Installing programs
174 @comment node-name, next, previous, up
175 @section Installing a binary distribution
177 The binary distribution is supposed to be installed in
178 @file{/usr/athena}, installing in some other place may work but is not
179 recommended. A symlink from @file{/usr/athena} to the install directory
182 @node Finishing the installation, .klogin, Installing a binary distribution, Installing programs
183 @section Finishing the installation
186 The only program that needs to be installed setuid to root is @code{su}.
191 @code{rlogin} and @code{rsh} are setuid to root they will fall back to
192 non-kerberised protocols if the kerberised ones fail for some
193 reason. The old protocols use reserved ports as security, and therefore
194 the programs have to be setuid to root. If you don't need this
195 functionality consider turning off the setuid bit.
198 @code{login} does not have to be setuid, as it is always run by root
199 (users should use @code{su} rather than @code{login}). It will print a
200 helpful message when not setuid to root and run by a user.
202 The programs intended to be run by users are located in
203 @file{/usr/athena/bin}. Inform your users to include
204 @file{/usr/athena/bin} in their paths, or copy or symlink the binaries
205 to some good place. The programs that you will want to use are:
206 @code{kauth}/@code{kinit},
209 @code{klist}, @code{kdestroy}, @code{kpasswd}, @code{ftp},
214 @code{telnet}, @code{rcp}, @code{rsh}, @code{rlogin}, @code{su},
226 @code{rxtelnet}, @code{tenletxr}, @code{rxterm}, and
227 @code{xnlock}. If you are using AFS, @code{afslog} and @code{pagsh}
228 might also be useful. Administrators will want to use @code{kadmin} and
229 @code{ksrvutil}, which are located in @file{/usr/athena/sbin}.
233 @code{telnetd} and @code{rlogind} assume that @code{login} is located in
234 @file{/usr/athena/bin} (or whatever path you used as
235 @samp{--prefix}). If for some reason you want to move @code{login}, you
236 will have to specify the new location with the @samp{-L} switch when
243 in @file{inetd.conf}.
245 It should be possible to replace the system's default @code{login} with
246 the kerberised @code{login}. However some systems assume that login
247 performs some serious amount of magic that our login might not do (although
248 we've tried to do our best). So before replacing it on every machine,
249 try and see what happens. Another thing to try is to use one of the
250 authentication modules (@pxref{Authentication modules}) supplied.
252 The @code{login} program that we use was in an earlier life the standard
253 login program from NetBSD. In order to use it with a lot of weird
254 systems, it has been ``enhanced'' with features from many other logins
255 (Solaris, SunOS, IRIX, AIX, and others). Some of these features are
256 actually useful and you might want to use them even on other systems.
261 @itemx /etc/logindevperm
263 Allows you to chown some devices when a user logs in on a certain
264 terminal. Commonly used to change the ownership of @file{/dev/mouse},
265 @file{/dev/kbd}, and other devices when someone logs in on
268 @file{/etc/fbtab} is the SunOS file name and it is tried first. If
269 there is no such file then the Solaris file name
270 @file{/etc/logindevperm} is tried.
271 @item /etc/environment
273 This file specifies what environment variables should be set when a user
275 @item /etc/default/login
276 @pindex default/login
277 Almost the same as @file{/etc/environment}, but the System V style.
278 @item /etc/login.access
280 Can be used to control who is allowed to login from where and on what
281 ttys. (From Wietse Venema)
286 * Authentication modules::
289 @node .klogin, Authentication modules, Finishing the installation, Installing programs
290 @comment node-name, next, previous, up
292 Each user can have an authorization file @file{~@var{user}/.klogin}
295 determines what principals can login as that user. It is similar to the
296 @file{~user/.rhosts} except that it does not use IP and privileged-port
297 based authentication. If this file does not exist, the user herself
298 @samp{user@@LOCALREALM} will be allowed to login. Supplementary local
299 realms (@pxref{Install the configuration files}) also apply here. If the
300 file exists, it should contain the additional principals that are to
301 be allowed to login as the local user @var{user}.
303 This file is consulted by most of the daemons (@code{rlogind},
304 @code{rshd}, @code{ftpd}, @code{telnetd}, @code{popper}, @code{kauthd}, and
314 principal requesting a service is allowed to receive it. It is also
317 @code{su}, which is a good way of keeping an access control list (ACL)
318 on who is allowed to become root. Assuming that @file{~root/.klogin}
326 both nisse and lisa will be able to su to root by entering the password
327 of their root instance. If that fails or if the user is not listed in
328 @file{~root/.klogin}, @code{su} falls back to the normal policy of who
329 is permitted to su. Also note that that nisse and lisa can login
330 with e.g. @code{telnet} as root provided that they have tickets for
333 @node Authentication modules, , .klogin, Installing programs
334 @comment node-name, next, previous, up
335 @section Authentication modules
336 The problem of having different authentication mechanisms has been
337 recognised by several vendors, and several solutions has appeared. In
338 most cases these solutions involve some kind of shared modules that are
339 loaded at run-time. Modules for some of these systems can be found in
340 @file{lib/auth}. Presently there are modules for Digital's SIA,
341 Solaris' and Linux' PAM, and IRIX' @code{login} and @code{xdm} (in
342 @file{lib/auth/afskauthlib}).
350 @node Digital SIA, IRIX, Authentication modules, Authentication modules
351 @subsection Digital SIA
353 To install the SIA module you will have to do the following:
358 Make sure @file{libsia_krb4.so} is available in
359 @file{/usr/athena/lib}. If @file{/usr/athena} is not on local disk, you
360 might want to put it in @file{/usr/shlib} or someplace else. If you do,
361 you'll have to edit @file{krb4_matrix.conf} to reflect the new location
362 (you will also have to do this if you installed in some other directory
363 than @file{/usr/athena}). If you built with shared libraries, you will
364 have to copy the shared @file{libkrb.so}, @file{libdes.so},
365 @file{libkadm.so}, and @file{libkafs.so} to a place where the loader can
366 find them (such as @file{/usr/shlib}).
368 Copy (your possibly edited) @file{krb4_matrix.conf} to @file{/etc/sia}.
370 Apply @file{security.patch} to @file{/sbin/init.d/security}.
372 Turn on KRB4 security by issuing @kbd{rcmgr set SECURITY KRB4} and
373 @kbd{rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf}.
375 Digital thinks you should reboot your machine, but that really shouldn't
376 be necessary. It's usually sufficient just to run
377 @kbd{/sbin/init.d/security start} (and restart any applications that use
378 SIA, like @code{xdm}.)
381 Users with local passwords (like @samp{root}) should be able to login
384 When using Digital's xdm the @samp{KRBTKFILE} environment variable isn't
385 passed along as it should (since xdm zaps the environment). Instead you
386 have to set @samp{KRBTKFILE} to the correct value in
387 @file{/usr/lib/X11/xdm/Xsession}. Add a line similar to
389 KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE
391 If you use CDE, @code{dtlogin} allows you to specify which additional
392 environment variables it should export. To add @samp{KRBTKFILE} to this
393 list, edit @file{/usr/dt/config/Xconfig}, and look for the definition of
394 @samp{exportList}. You want to add something like:
396 Dtlogin.exportList: KRBTKFILE
399 @subsubheading Notes to users with Enhanced security
401 Digital's @samp{ENHANCED} (C2) security, and Kerberos solves two
402 different problems. C2 deals with local security, adds better control of
403 who can do what, auditing, and similar things. Kerberos deals with
406 To make C2 security work with Kerberos you will have to do the
411 Replace all occurencies of @file{krb4_matrix.conf} with
412 @file{krb4+c2_matrix.conf} in the directions above.
414 You must enable ``vouching'' in the @samp{default} database. This will
415 make the OSFC2 module trust other SIA modules, so you can login without
416 giving your C2 password. To do this use @samp{edauth} to edit the
417 default entry @kbd{/usr/tcb/bin/edauth -dd default}, and add a
418 @samp{d_accept_alternate_vouching} capability, if not already present.
420 For each user that does @emph{not} have a local C2 password, you should
421 set the password expiration field to zero. You can do this for each
422 user, or in the @samp{default} table. To do this use @samp{edauth} to
423 set (or change) the @samp{u_exp} capability to @samp{u_exp#0}.
425 You also need to be aware that the shipped @file{login}, @file{rcp}, and
426 @file{rshd}, doesn't do any particular C2 magic (such as checking to
427 various forms of disabled accounts), so if you rely on those features,
428 you shouldn't use those programs. If you configure with
429 @samp{--enable-osfc2}, these programs will, however, set the login
430 UID. Still: use at your own risk.
433 At present @samp{su} does not accept the vouching flag, so it will not
436 Also, kerberised ftp will not work with C2 passwords. You can solve this
437 by using both Digital's ftpd and our on different ports.
439 @strong{Remember}, if you do these changes you will get a system that
440 most certainly does @emph{not} fulfill the requirements of a C2
441 system. If C2 is what you want, for instance if someone else is forcing
442 you to use it, you're out of luck. If you use enhanced security because
443 you want a system that is more secure than it would otherwise be, you
444 probably got an even more secure system. Passwords will not be sent in
445 the clear, for instance.
447 @node IRIX, PAM, Digital SIA, Authentication modules
450 The IRIX support is a module that is compatible with Transarc's
451 @file{afskauthlib.so}. It should work with all programs that use this
452 library, this should include @file{login} and @file{xdm}.
454 The interface is not very documented but it seems that you have to copy
455 @file{libkafs.so}, @file{libkrb.so}, and @file{libdes.so} to
456 @file{/usr/lib}, or build your @file{afskauthlib.so} statically.
458 The @file{afskauthlib.so} itself is able to reside in
459 @file{/usr/vice/etc}, @file{/usr/afsws/lib}, or the current directory
462 IRIX 6.4 and newer seems to have all programs (including @file{xdm} and
463 @file{login}) in the N32 object format, whereas in older versions they
464 were O32. For it to work, the @file{afskauthlib.so} library has to be in
465 the same object format as the program that tries to load it. This might
466 require that you have to configure and build for O32 in addition to the
469 Appart from this it should ``just work'', there are no configuration
472 @node PAM, , IRIX, Authentication modules
475 The PAM module was written more out of curiosity that anything else. It
476 has not been updated for quite a while, but it seems to mostly work on
477 both Linux and Solaris.
479 To use this module you should:
483 Make sure @file{pam_krb4.so} is available in @file{/usr/athena/lib}. You
484 might actually want it on local disk, so @file{/lib/security} might be a
485 better place if @file{/usr/athena} is not local.
487 Look at @file{pam.conf.add} for examples of what to add to
488 @file{/etc/pam.conf}.
491 There is currently no support for changing kerberos passwords. Use
494 See also Derrick J Brashear's @code{<shadow@@dementia.org>} Kerberos PAM
495 module at @* @url{ftp://ftp.dementia.org/pub/pam}. It has a lot more
496 features, and it is also more in line with other PAM modules.