Administering Kerberos Version 4 Authentication
A system administrator can implement policies that help secure the network. The level of security required will differ with each site. This section provides instructions for some tasks associated with network security.
How to Share and Mount Files With Kerberos Authentication
Prerequisite
Kerberos Version 4 authentication must be enabled on the network.
To share a file system with Kerberos authentication:
-
Become superuser.
-
Share the file system with Kerberos authentication.
# share -F nfs -o sec=krb4 /filesystem
To mount a file system with Kerberos authentication:
-
Become superuser.
-
Mount the file system with Kerberos authentication.
# mount -F nfs -o sec=krb4 server:resource mountpoint
The -o sec=krb4 option mounts the file system with AUTH_KERB authentication.
How to Acquire a Kerberos Ticket for Superuser on a Client
If the NFS file system that you need to access has not been mounted, you need to acquire a ticket for superuser on the client before mounting it.
To acquire a ticket for a not-yet-mounted file system:
-
Become superuser.
-
Acquire a Kerberos ticket on the client.
# kinit root.hostname
hostname is the name of the client system.
# kinit root.earth Password: #
To acquire a ticket for a mounted file system:
If the entry root.hostname for the client has been entered into the /etc/srvtab configuration file, you can use the ksrvtgt command to get a ticket for superuser. In this case, you are not required to give a superuser password. Consult the MIT documentation for information about initializing the /etc/srvtab file.
Example--Acquiring a Kerberos Ticket for Superuser on a Client
# ksrvtgt root.earth # |
How to Log In to Kerberos Service
Log in to the Kerberos service by using the kinit -l username command.
earth% kinit -l username |
The kinit command prompts you for the ticket lifetime (-l option), and your password. It prints out ticket status using the verbose mode (-v option).
Example of Logging In to Kerberos Service
earth% kinit -l jjones SunOS (earth) Kerberos Initialization for "jjones" Kerberos ticket lifetime (minutes): 480 Password: earth% |
How to List Kerberos Tickets
earth% klist |
Example of Listing Kerberos Tickets
earth% klist Ticket file: /tmp/tkt8516 Principal: jjones@North.Abc.COM Issued Expires Principal Jan 14 20:40:54 Jan 15:04:40:54 krbtgt.North.Abc.COM@North.Abc.COM |
How to Access a Directory With Kerberos Authentication
Type cd /mountpoint.
Access the mounted directory, just as you would any other mounted directory. You can list the files in the directory with the ls command, or list the Kerberos tickets with the klist command.
Example of Accessing a Directory With Kerberos Authentication
In the following example, user jjones can change to the mounted mntkrb directory and list the files in this directory.
The kerbd daemon has automatically secured a ticket on the user's behalf for the NFS server exporting the file system. At this point there are two valid tickets--the original ticket-granting ticket, and the server ticket. These two tickets are listed by klist.
earth% cd /mntkrb earth% ls -l /mntkrb -rw-r--r-- 1 marks staff 29 Jul 14 12:22 sports drwxr-xr-x 3 jjones staff 512 Sep 13 13:44 market earth% klist Ticket file: /tmp/tkt8516 Principal: jjones@North.Abc.COM Issued Expires Principal Jan 14 20:40:54 Jan 15:04:40:54 krbtgt.North.Abc.COM@North.Abc.COM Jan 14 20:43:21 Jan 15:04:43:21 nfs.pluto@North.Abc.COM |
How to Destroy a Kerberos Ticket
Enter kdestroy.
Destroy Kerberos tickets when the session is over, so that an unauthorized user cannot to gain access to it. If you want to reinitiate Kerberos authentication, use the kinit command.
Example of Destroying a Kerberos Ticket
The following example shows how to destroy the Kerberos ticket. If the user then tries to change to or list a Kerberos-protected directory, the ticket server denies access.
earth% kdestroy Tickets destroyed earth% ls /mntkrb Can't get Kerberos key: No ticket file (tf_util) NFS getattr failed for server pluto: RPC: Authentication error can not access directory /mntkrb. |
- © 2010, Oracle Corporation and/or its affiliates