1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 2 3<html> 4 <head> 5 <meta name="generator" content="HTML Tidy, see www.w3.org"> 6 <title>Using Kerberos 5 for Authentication</title> 7 <meta name="GENERATOR" content= 8 "Modular DocBook HTML Stylesheet Version 1.7"> 9 <link rel="HOME" title=" LPRng Reference Manual" href= 10 "index.htm"> 11 <link rel="UP" title="Permissions and Authentication " href= 12 "permsref.htm"> 13 <link rel="PREVIOUS" title="PGP Authentication Support" href= 14 "x9115.htm"> 15 <link rel="NEXT" title="Using Kerberos 4 for Authentication" 16 href="x9386.htm"> 17 </head> 18 19 <body class="SECT1" bgcolor="#FFFFFF" text="#000000" link= 20 "#0000FF" vlink="#840084" alink="#0000FF"> 21 <div class="NAVHEADER"> 22 <table summary="Header navigation table" width="100%" border= 23 "0" cellpadding="0" cellspacing="0"> 24 <tr> 25 <th colspan="3" align="center">LPRng Reference Manual: 5 26 Sep 2003 (For LPRng-3.8.22)</th> 27 </tr> 28 29 <tr> 30 <td width="10%" align="left" valign="bottom"><a href= 31 "x9115.htm" accesskey="P">Prev</a></td> 32 33 <td width="80%" align="center" valign="bottom">Chapter 34 17. Permissions and Authentication</td> 35 36 <td width="10%" align="right" valign="bottom"><a href= 37 "x9386.htm" accesskey="N">Next</a></td> 38 </tr> 39 </table> 40 <hr align="LEFT" width="100%"> 41 </div> 42 43 <div class="SECT1"> 44 <h1 class="SECT1"><a name="KERBEROS">17.13. Using Kerberos 5 45 for Authentication</a></h1> 46 47 <p><b class="APPLICATION">LPRng</b> Kerberos 5 authentication 48 is based on the Kerberos5-1.2.5 release as of 3 June 2002. 49 The distribution was obtained from MIT from the <span class= 50 "emphasis"><i class="EMPHASIS"><a href= 51 "http://web.mit.edu/kerberos/www/" target= 52 "_top">http://web.mit.edu/kerberos/www/</a></i></span> 53 Website.</p> 54 55 <p>The following sections briefly describes how to set up and 56 test the Kerberos software and then how to configure <b 57 class="APPLICATION">LPRng</b> to use Kerberos.</p> 58 59 <div class="SECT2"> 60 <h2 class="SECT2"><a name="AEN9246">17.13.1. <b class= 61 "APPLICATION">LPRng</b> Configuration</a></h2> 62 63 <p>The following <var class="LITERAL">configure</var> 64 options are used to enable Kerberos support:</p> 65 66 <div class="INFORMALEXAMPLE"> 67 <a name="AEN9251"></a> 68<pre class="SCREEN"> 69 --enable-kerberos enable Kerberos V support 70 --enable-mit_kerberos4 enable MIT Kerberos 4 support 71 --disable-kerberos_checks disable Kerberos sanity checks 72</pre> 73 </div> 74 <br> 75 <br> 76 77 <p>The <var class="LITERAL">--enable-kerberos</var> option 78 will cause <var class="LITERAL">configure</var> to search 79 for the include files such as <tt class= 80 "FILENAME">krb5.h</tt> and the <var class= 81 "LITERAL">krb5</var> support libraries. libraries. If it 82 finds these, then Kerberos authentication will be included. 83 The <var class="LITERAL">--enable-mit_kerberos</var> enable 84 searching for the Kerberos 4 include files and support 85 libraries. If these are found then MIT Kerberos 4 86 compatibility will be enabled. The <var class= 87 "LITERAL">--disable-kerberos_checks</var> will disable 88 checking for libraries and simply enable the various 89 options.</p> 90 </div> 91 92 <div class="SECT2"> 93 <h2 class="SECT2"><a name="AEN9260">17.13.2. Kerberos 94 Installation Procedure</a></h2> 95 96 <ol type="1"> 97 <li> 98 <p>Get the Kerberos 5 distribution.</p> 99 </li> 100 101 <li> 102 <p>Compile and install the distribution.</p> 103 </li> 104 105 <li> 106 <p>Create the <tt class="FILENAME">/etc/krb5.conf</tt> 107 and <tt class= 108 "FILENAME">/usr/local/var/krb5kdc/kdc.conf</tt>, files 109 using templates from the files in the Kerberos 110 distribution's <tt class= 111 "FILENAME">src/config-files</tt> directory. See the 112 Kerberos Installation Guide and the Kerberos System 113 Administrators Guide for details.</p> 114 </li> 115 116 <li> 117 <p>Start up the KDC and KADMIN servers - you might want 118 to put the following in your <tt class= 119 "FILENAME">rc.local</tt> or equivalent system startup 120 files:</p> 121 122 <div class="INFORMALEXAMPLE"> 123 <a name="AEN9276"></a> 124<pre class="SCREEN"> 125 if [ -f /etc/krb5.conf -a -f /usr/local/var/krb5kdc/kdc.conf ]; then 126 echo -n ' krb5kdc '; /usr/local/sbin/krb5kdc; 127 echo -n ' kadmind '; /usr/local/sbin/kadmind; 128 fi 129</pre> 130 </div> 131 <br> 132 <br> 133 </li> 134 135 <li> 136 <p>Use kadmin (or kadmin.local) to create principals 137 for your users.</p> 138 </li> 139 140 <li> 141 <p>Use kadmin (or kadmin.local) to create principals 142 for the <b class="APPLICATION">lpd</b> servers. The 143 recommended method is to use <tt class= 144 "FILENAME">lpr/hostname@REALM</tt> as a template for 145 the principal name, i.e. - <var class= 146 "LITERAL">lpr/astart1.private@ASTART.COM</var> for an 147 example. You should use fully qualified domain names 148 for the principals. Do not assign the principal a 149 password.</p> 150 151 <div class="INFORMALEXAMPLE"> 152 <a name="AEN9285"></a> 153<pre class="SCREEN"> 154 Example: 155 156 #> kadmin OR #> kadmin.local 157 kadmin: addprinc -randkey lpr/wayoff.private@ASTART.COM 158 quit 159</pre> 160 </div> 161 <br> 162 <br> 163 </li> 164 165 <li> 166 <p>Extract the keytab for each server:</p> 167 168 <div class="INFORMALEXAMPLE"> 169 <a name="AEN9289"></a> 170<pre class="SCREEN"> 171 Example: 172 #> kadmin OR #> kadmin.local 173 ktadd -k /etc/lpr.wayoff.private lpr/wayoff.private@ASTART.COM 174 quit 175</pre> 176 </div> 177 <br> 178 <br> 179 </li> 180 181 <li> 182 <p>The <var class= 183 "LITERAL">/etc/lpr.wayoff.private</var> file contains 184 the keytab information which is the equivalent of a 185 password for a server program. You should create these 186 files and then copy the appropriate <var class= 187 "LITERAL">keytab</var> file to <tt class= 188 "FILENAME">/etc/lpd.keytab</tt> file on each server. 189 See the warnings about of keytab files in the Kerberos 190 Installation and Kerberos Administration manuals. You 191 should copy the file using an encrypted connection, set 192 the permissions to read only by the owner (<var class= 193 "LITERAL">400</var>), and set the owner to <var class= 194 "LITERAL">daemon</var> or the user that <b class= 195 "APPLICATION">lpd</b> will run as.</p> 196 197 <div class="INFORMALEXAMPLE"> 198 <a name="AEN9299"></a> 199<pre class="SCREEN"> 200 #> chmod 400 lpr.wayoff.com 201 #> scp lpr.wayoff.com root@wayoff.com:/etc/lpd.keytab 202 #> ssh -l root wayoff.com 203 # wayoff > chmod 400 /etc/lpd.keytab 204 # wayoff > chown daemon /etc/lpd.keytab 205 # wayoff > ls -l /etc/lpd.keytab 206 -rw------- 1 daemon wheel 128 Jan 16 11:06 /etc/lpd.keytab 207</pre> 208 </div> 209 <br> 210 <br> 211 </li> 212 213 <li> 214 <p>If you want to have MIT Kerberos4 printing 215 compatibility then you will need to set up Kerberos 4 216 <var class="LITERAL">servertabs</var> instead of 217 Kerberos 5 keytabs. Assuming that you have put the 218 Kerberos 5 keytab in <tt class= 219 "FILENAME">/etc/lpd.keytab</tt>, then you extract the 220 Kerberos 4 srvtab version of the Kerberos 5 keytab 221 using the following commands. You must put the key in 222 the <tt class="FILENAME">/etc/srvtab</tt> file in order 223 to be compatible with the Kerberos 4 support.</p> 224 225 <div class="INFORMALEXAMPLE"> 226 <a name="AEN9306"></a> 227<pre class="SCREEN"> 228 <samp class="PROMPT">h4: {321} #</samp> <kbd class= 229"USERINPUT">ktuil</kbd> 230 <kbd class="USERINPUT">rkt /etc/lpd.keytab</kbd> 231 <kbd class="USERINPUT">wst /etc/srvtab</kbd> 232</pre> 233 </div> 234 <br> 235 <br> 236 </li> 237 </ol> 238 <br> 239 <br> 240 </div> 241 242 <div class="SECT2"> 243 <h2 class="SECT2"><a name="AEN9312">17.13.3. <b class= 244 "APPLICATION">LPRng</b> Configuration</a></h2> 245 246 <p>The <b class="APPLICATION">LPRng</b> software needs to 247 be configured so that it can find the Kerberos libraries 248 and include files. By default, the include files are 249 installed in <tt class="FILENAME">/usr/local/include</tt> 250 and the libraries in <tt class= 251 "FILENAME">/usr/local/lib</tt>. Use the following steps to 252 configure <b class="APPLICATION">LPRng</b> so that it uses 253 these directories during configuration and 254 installation:</p> 255 256 <div class="INFORMALEXAMPLE"> 257 <a name="AEN9320"></a> 258<pre class="SCREEN"> 259 cd .../LPRng 260 rm -f config.cache 261 CPPFLAGS="-I/usr/local/include -I/usr/include/kerberosIV" \ 262 LDFLAGS="-L/usr/local/lib -L/usr/lib/kerberosIV" \ 263 ./configure 264 make clean all 265 su 266 make install 267</pre> 268 </div> 269 <br> 270 <br> 271 </div> 272 273 <div class="SECT2"> 274 <h2 class="SECT2"><a name="AEN9322">17.13.4. Printcap 275 Entries</a></h2> 276 277 <p>Options used:</p> 278 279 <ul> 280 <li> 281 <p><var class="LITERAL">auth=kerberos5</var><span 282 class="emphasis"><i class="EMPHASIS">use Kerberos5 283 authentication</i></span></p> 284 </li> 285 286 <li> 287 <p><var class="LITERAL">kerberos_id=</var><span class= 288 "emphasis"><i class="EMPHASIS">server prinicpal name 289 (for client use)</i></span></p> 290 </li> 291 292 <li> 293 <p><var class= 294 "LITERAL">kerberos_server_principal=</var><span class= 295 "emphasis"><i class="EMPHASIS">alias for 296 kerberos_id</i></span></p> 297 </li> 298 299 <li> 300 <p><var class="LITERAL">kerberos_forward_id=</var><span 301 class="emphasis"><i class="EMPHASIS">destination server 302 used by server</i></span></p> 303 </li> 304 305 <li> 306 <p><var class= 307 "LITERAL">kerberos_forward_principal=</var><span class= 308 "emphasis"><i class="EMPHASIS">alias for 309 kerberos_forward_id</i></span></p> 310 </li> 311 312 <li> 313 <p><var class="LITERAL">kerberos_keytab=</var><span 314 class="emphasis"><i class="EMPHASIS">location of the 315 lpd server keytab file</i></span></p> 316 </li> 317 318 <li> 319 <p><var class="LITERAL">kerberos_service=</var><span 320 class="emphasis"><i class="EMPHASIS">service to be 321 used</i></span></p> 322 </li> 323 324 <li> 325 <p><var class="LITERAL">kerberos_life=</var><span 326 class="emphasis"><i class="EMPHASIS">lpd server ticket 327 lifetime</i></span></p> 328 </li> 329 330 <li> 331 <p><var class="LITERAL">kerberos_renew=</var><span 332 class="emphasis"><i class="EMPHASIS">lpd server ticket 333 renew</i></span></p> 334 </li> 335 </ul> 336 <br> 337 <br> 338 339 <p>Example printcap entry:</p> 340 341 <div class="INFORMALEXAMPLE"> 342 <a name="AEN9363"></a> 343<pre class="SCREEN"> 344 pr:client 345 :lp=pr@wayoff 346 :auth=kerberos5 347 :kerberos_id=lpr/wayoff.private@ASTART.COM 348 pr:server 349 :lp=pr@faroff.private 350 :auth_forward=kerberos5 351 :kerberos_id=lpr/wayoff.private@ASTART.COM 352 :kerberos_forward_id=lpr/faroff.private@ASTART.COM 353 :kerberos_keytab=/etc/lpd.keytab 354 355 OR If you want to use Kerberos 4 authentication to the server 356 pr:client 357 :lp=pr@wayoff 358 :auth=kerberos4 359 :kerberos_id=lpr/wayoff.private@ASTART.COM 360 # support both Kerberos 4 and 5 on server 361 pr:server 362 :lp=pr@faroff.private 363 :auth_forward=kerberos5 364 :kerberos_id=lpr/wayoff.private@ASTART.COM 365 :kerberos_forward_id=lpr/faroff.private@ASTART.COM 366 :kerberos_keytab=/etc/lpd.keytab 367</pre> 368 </div> 369 <br> 370 <br> 371 372 <p>The printcap configuration for Kerberos authentication 373 is very simple.</p> 374 375 <p>The <var class="LITERAL">kerberos_id</var> is the 376 principal name of the lpd server that clients will connect 377 to. For backwards compatibility, <var class= 378 "LITERAL">kerberos_server_principal</var> can also be used. 379 This values is used to obtain a ticket for the <b class= 380 "APPLICATION">lpd</b> server, and is the only entry 381 required for client to server authentication.</p> 382 383 <p>The other entries are used by the <b class= 384 "APPLICATION">lpd</b> server. <var class= 385 "LITERAL">kerberos_keytab</var> entry is the location of 386 the keytab file to be used by the server. This contains the 387 passphrase used by the server to authenticate itself and 388 get a ticket from the ticket server.</p> 389 390 <p>The <var class="LITERAL">kerberos_id</var> value is also 391 used by the server during the authentication process to 392 make sure that the correct principal name was used by the 393 request originator. This check has saved many hours of pain 394 in trying to determine why authentication is failing.</p> 395 396 <p>The <var class="LITERAL">kerberos_life</var> and <var 397 class="LITERAL">kerberos_renew</var> set the lifetime and 398 renewability of the lpd server Kerberos tickets. These 399 values should not be modified unless you are familiar with 400 the Kerberos system. There are extensive notes in the <b 401 class="APPLICATION">LPRng</b> source code concerning these 402 values. The <var class="LITERAL">kerberos_service</var> 403 value supplies the name of the service to be used when 404 generating a ticket. It is stronly recommended that the 405 <var class="LITERAL">kerberos_id</var> entry be used 406 instead.</p> 407 </div> 408 409 <div class="SECT2"> 410 <h2 class="SECT2"><a name="AEN9381">17.13.5. User 411 Environment Variables and Files</a></h2> 412 413 <p>In order to use kerberos authentication, the user will 414 need to obtain a ticket from the Kerberos ticket server. 415 This is done using <var class="LITERAL">kinit</var>.</p> 416 417 <p>No other actions are required by the user.</p> 418 </div> 419 </div> 420 421 <div class="NAVFOOTER"> 422 <hr align="LEFT" width="100%"> 423 424 <table summary="Footer navigation table" width="100%" border= 425 "0" cellpadding="0" cellspacing="0"> 426 <tr> 427 <td width="33%" align="left" valign="top"><a href= 428 "x9115.htm" accesskey="P">Prev</a></td> 429 430 <td width="34%" align="center" valign="top"><a href= 431 "index.htm" accesskey="H">Home</a></td> 432 433 <td width="33%" align="right" valign="top"><a href= 434 "x9386.htm" accesskey="N">Next</a></td> 435 </tr> 436 437 <tr> 438 <td width="33%" align="left" valign="top">PGP 439 Authentication Support</td> 440 441 <td width="34%" align="center" valign="top"><a href= 442 "permsref.htm" accesskey="U">Up</a></td> 443 444 <td width="33%" align="right" valign="top">Using Kerberos 445 4 for Authentication</td> 446 </tr> 447 </table> 448 </div> 449 </body> 450</html> 451 452