(Illustration by Gaich Muramatsu)
On Wed, Dec 22, 2004 at 02:13:21PM +0100, Jiri Navratil wrote: > I'm installing a new machine based on BLFS instructions. I would like to > test the coda with Kerberos 5 authentification. As BLFS make no I would rather strongly suggest you to try the modular clog, it has a better support for kerberos than the mainstream one. A binary Linux client is available at http://www.konvalo.org/?pagename=Main.Software http://www.konvalo.org/pub/coda-client-setup You would want to install an inetd service on the Coda server machine(s) like that: inetd.conf: ----------- codaauth2 stream tcp nowait nobody /bin/cat cat /etc/codaauth.conf ----------- whith /etc/codaauth.conf being like the following, words containing "substitute" to be replaced by your actual values: ----------------------------------- version = 3 authorities { ###################### traditional Coda password support section, ###################### may be omitted in pure Kerberos installation ## the authority label you chose: adm { methods { ## the method label you chose: pass { ## the method name, a predefined string, "codapassword" for Coda password auth authmethod = codapassword methodopts { tokensrvs { substitute.your.coda.auth.server.fqdn 370 # substitute.your.another.server.fqdn 370 # and so on for each host where you run auth2 services } } } } } ###################### example kerberos5 authority description ## the authority label you choose freely: myrlm { methods { ## the method label you choose freely: my_krb5 { ## the method name, it has to be spelled "kerberos5" authmethod = kerberos5 methodopts { krb5realm = substitute-YOUR-KERBEROS-REALM.HERE krb5kdcs { substitute.by.fqdn.of.a.corresponding.krb.kdc # another.one # and.so.on } krb5options { ## for plain mit kerberos possibly: withaddrs = no proxiable = yes } krb5service { ## choose it arbitrarily, together with your kerberos realm administrator ## (which can happen to be yourself) codaauth/coda.realm.org } tokensrvs { substitute.your.auth2.server.fqdn 370 # substitute.your.another.server.fqdn 370 # and so on for each host where you run auth2 services } } } } } } ----------------------------------- Note that this part makes unnecessary any kerberos-related client configuration, and you will be able to authenticate against Coda realms using services of different kerberos realms, at the same time. You do not need to install any libraries on a client either. The client contains the necessary (MIT) libraries, though it does not reveal them in the traditional places like /lib. If you do not do this "authentication advertisement" part, you still will be able to use the kerberized clog - by putting all the information about kerberos servers, auth2 servers, kerberos principal, kerberos options on the command line. clog --help may help You may use a mainstream Coda server, I think, just configure it to use the krb5 principal in accordance with krb5service above, or the other way around, and let it possess a copy of the corresponding keytab and have a corresponding contents of /etc/krb5.conf on the server hosts. You may of course compile both the server and the client for modularized clog. The source, the compile "NOTES" as well as the binaries are at /coda/konvalo.org/sw/pm/1/TOP/c/coda/V/cvs20040923/L/1/ It is not the newest Coda, but the modular part is present as a patch which should work with the most recent code as well. Caution, the binaries there would not work for you directly, they are assumed to be run via explicit ld-linux.so.2 --library-path <where-the-libraries-are> <binary> [<args>] (in the http://www.konvalo.org/pub/coda-client-setup binaries are wrapped properly and you do not have to worry) > preference between MIT krb5 and Heimdal-0.6.2, can somebody tell me, > which one is better for coda or otherwise, that I do not need to care > about the choice? I'd suggest picking MIT as I am running MIT libraries myself (those from /coda/konvalo.org/sw/pm/1/TOP/k/krb5/V/1.3.5/L/1, not from any OS distribution) > Which document/page I shall read to be able to secure my coda server > placed in Internet? I am not aware of one yet... -- IvanReceived on 2004-12-22 09:47:35