3.4. Configuring a Kerberos 5 Client
krb5.confconfiguration file. While
sloginare the preferred methods of remotely logging in to client systems, Kerberized versions of
rloginare still available, with additional configuration changes.
- Be sure that time synchronization is in place between the Kerberos client and the KDC and that DNS is working properly on the Kerberos client.
- Install the
krb5-workstationpackages on all of the client machines.
- Supply a valid
/etc/krb5.conffile for each client (usually this can be the same
krb5.conffile used by the KDC).
- To use kerberized
rloginservices, install the
- Before a workstation can use Kerberos to authenticate users who connect using
rlogin, it must have its own host principal in the Kerberos database. The
klogindserver programs all need access to the keys for the host service's principal.
kadmin, add a host principal for the workstation on the KDC. The instance in this case is the hostname of the workstation. Use the
-randkeyoption for the
addprinccommand to create the principal and assign it a random key:
addprinc -randkey host/server.example.com
- The keys can be extracted for the workstation by running
kadminon the workstation itself and using the
ktadd -k /etc/krb5.keytab host/server.example.com
- To use other kerberized network services, install the krb5-server package and start the services. The kerberized services are listed in Table 3.3, “Common Kerberized Services”.
Table 3.3. Common Kerberized Services
|Service Name||Usage Information|
|ssh|| OpenSSH uses GSS-API to authenticate users to servers if the client's and server's configuration both have |
|rsh and rlogin|| Enable |
|Telnet|| Enable |
|FTP|| Create and extract a key for the principal with a root of |
An alternative to