(itstool) path: sect2/screen
<prompt>#</prompt> <userinput>pkg install heimdal</userinput>
Context English Persian State
<personname> <firstname>Mark</firstname> <surname>Murray</surname> </personname> <contrib>Based on a contribution by </contrib>
<application>Kerberos</application> is a network authentication protocol which was originally created by the Massachusetts Institute of Technology (<acronym>MIT</acronym>) as a way to securely provide authentication across a potentially hostile network. The <application>Kerberos</application> protocol uses strong cryptography so that both a client and server can prove their identity without sending any unencrypted secrets over the network. <application>Kerberos</application> can be described as an identity-verifying proxy system and as a trusted third-party authentication system. After a user authenticates with <application>Kerberos</application>, their communications can be encrypted to assure privacy and data integrity.
The only function of <application>Kerberos</application> is to provide the secure authentication of users and servers on the network. It does not provide authorization or auditing functions. It is recommended that <application>Kerberos</application> be used with other security methods which provide authorization and audit services.
The current version of the protocol is version 5, described in <acronym>RFC</acronym> 4120. Several free implementations of this protocol are available, covering a wide range of operating systems. <acronym>MIT</acronym> continues to develop their <application>Kerberos</application> package. It is commonly used in the <acronym>US</acronym> as a cryptography product, and has historically been subject to <acronym>US</acronym> export regulations. In FreeBSD, <acronym>MIT</acronym> <application>Kerberos</application> is available as the <package>security/krb5</package> package or port. The Heimdal <application>Kerberos</application> implementation was explicitly developed outside of the <acronym>US</acronym> to avoid export regulations. The Heimdal <application>Kerberos</application> distribution is included in the base FreeBSD installation, and another distribution with more configurable options is available as <package>security/heimdal</package> in the Ports Collection.
In <application>Kerberos</application> users and services are identified as <quote>principals</quote> which are contained within an administrative grouping, called a <quote>realm</quote>. A typical user principal would be of the form <literal><replaceable>user</replaceable>@<replaceable>REALM</replaceable></literal> (realms are traditionally uppercase).
This section provides a guide on how to set up <application>Kerberos</application> using the Heimdal distribution included in FreeBSD.
For purposes of demonstrating a <application>Kerberos</application> installation, the name spaces will be as follows:
The <acronym>DNS</acronym> domain (zone) will be <systemitem class="fqdomainname"></systemitem>.
The <application>Kerberos</application> realm will be <literal>EXAMPLE.ORG</literal>.
Use real domain names when setting up <application>Kerberos</application>, even if it will run internally. This avoids <acronym>DNS</acronym> problems and assures inter-operation with other <application>Kerberos</application> realms.
Setting up a Heimdal <acronym>KDC</acronym>
<primary>Kerberos5</primary> <secondary>Key Distribution Center</secondary>
The Key Distribution Center (<acronym>KDC</acronym>) is the centralized authentication service that <application>Kerberos</application> provides, the <quote>trusted third party</quote> of the system. It is the computer that issues <application>Kerberos</application> tickets, which are used for clients to authenticate to servers. Because the <acronym>KDC</acronym> is considered trusted by all other computers in the <application>Kerberos</application> realm, it has heightened security concerns. Direct access to the KDC should be limited.
While running a <acronym>KDC</acronym> requires few computing resources, a dedicated machine acting only as a <acronym>KDC</acronym> is recommended for security reasons.
To begin, install the <package>security/heimdal</package> package as follows:
<prompt>#</prompt> <userinput>pkg install heimdal</userinput> <prompt>#</prompt> <userinput>pkg install heimdal</userinput>
Next, update <filename>/etc/rc.conf</filename> using <command>sysrc</command> as follows:
<prompt>#</prompt> <userinput>sysrc kdc_enable=yes</userinput>
<prompt>#</prompt> <userinput>sysrc kadmind_enable=yes</userinput>
Next, edit <filename>/etc/krb5.conf</filename> as follows:
default_realm = <replaceable>EXAMPLE.ORG</replaceable>
<replaceable>EXAMPLE.ORG</replaceable> = {
kdc = <replaceable></replaceable>
admin_server = <replaceable></replaceable>
<replaceable></replaceable> = <replaceable>EXAMPLE.ORG</replaceable>
In this example, the <acronym>KDC</acronym> will use the fully-qualified hostname <systemitem class="fqdomainname"></systemitem>. The hostname of the KDC must be resolvable in the <acronym>DNS</acronym>.
<application>Kerberos</application> can also use the <acronym>DNS</acronym> to locate KDCs, instead of a <literal>[realms]</literal> section in <filename>/etc/krb5.conf</filename>. For large organizations that have their own <acronym>DNS</acronym> servers, the above example could be trimmed to:
default_realm = <replaceable>EXAMPLE.ORG</replaceable>
<replaceable></replaceable> = <replaceable>EXAMPLE.ORG</replaceable>
With the following lines being included in the <systemitem class="fqdomainname"></systemitem> zone file:
_kerberos._udp IN SRV 01 00 88 <replaceable></replaceable>.
_kerberos._tcp IN SRV 01 00 88 <replaceable></replaceable>.
_kpasswd._udp IN SRV 01 00 464 <replaceable></replaceable>.
_kerberos-adm._tcp IN SRV 01 00 749 <replaceable></replaceable>.
_kerberos IN TXT <replaceable>EXAMPLE.ORG</replaceable>
In order for clients to be able to find the <application>Kerberos</application> services, they <emphasis>must</emphasis> have either a fully configured <filename>/etc/krb5.conf</filename> or a minimally configured <filename>/etc/krb5.conf</filename> <emphasis>and</emphasis> a properly configured <acronym>DNS</acronym> server.
Next, create the <application>Kerberos</application> database which contains the keys of all principals (users and hosts) encrypted with a master password. It is not required to remember this password as it will be stored in <filename>/var/heimdal/m-key</filename>; it would be reasonable to use a 45-character random password for this purpose. To create the master key, run <command>kstash</command> and enter a password:
<prompt>#</prompt> <userinput>kstash</userinput>
Master key: <userinput><replaceable>xxxxxxxxxxxxxxxxxxxxxxx</replaceable></userinput>
Verifying password - Master key: <userinput><replaceable>xxxxxxxxxxxxxxxxxxxxxxx</replaceable></userinput>
Once the master key has been created, the database should be initialized. The <application>Kerberos</application> administrative tool <citerefentry><refentrytitle>kadmin</refentrytitle><manvolnum>8</manvolnum></citerefentry> can be used on the KDC in a mode that operates directly on the database, without using the <citerefentry><refentrytitle>kadmind</refentrytitle><manvolnum>8</manvolnum></citerefentry> network service, as <command>kadmin -l</command>. This resolves the chicken-and-egg problem of trying to connect to the database before it is created. At the <command>kadmin</command> prompt, use <command>init</command> to create the realm's initial database:
<prompt>#</prompt> <userinput>kadmin -l</userinput>
kadmin&gt; <userinput>init <replaceable>EXAMPLE.ORG</replaceable></userinput>
Realm max ticket life [unlimited]:
Lastly, while still in <command>kadmin</command>, create the first principal using <command>add</command>. Stick to the default options for the principal for now, as these can be changed later with <command>modify</command>. Type <literal>?</literal> at the prompt to see the available options.


User avatar kfv

New translation

FreeBSD Doc / books_handbookPersian

<prompt>#</prompt> <userinput>pkg install heimdal</userinput>
<prompt>%#</prompt> <userinput>toppkg install heimdal</userinput>
4 months ago
User avatar None

Source string changed

FreeBSD Doc / books_handbookPersian

<prompt>%#</prompt> <userinput>toppkg install heimdal</userinput>
5 months ago
Browse all component changes

Things to check

Unchanged translation

Source and translation are identical



English Persian
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect2/screen
Source string location
String age
5 months ago
Source string age
5 months ago
Translation file
books/fa/handbook.po, string 4058