You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2016/02/15 03:42:56 UTC
[32/36] directory-kerby git commit: Refine the readme.
Refine the readme.
Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/426e1140
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/426e1140
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/426e1140
Branch: refs/heads/kadmin-remote
Commit: 426e114058f2f4df924ee9f8b909a02c08127cb1
Parents: 82fd585
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri Jan 29 14:27:40 2016 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Fri Jan 29 14:27:40 2016 +0800
----------------------------------------------------------------------
kerby-dist/README.md | 62 ++++++++++++++++++++++++++++++++++-------------
1 file changed, 45 insertions(+), 17 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/426e1140/kerby-dist/README.md
----------------------------------------------------------------------
diff --git a/kerby-dist/README.md b/kerby-dist/README.md
index a8be62a..e246956 100644
--- a/kerby-dist/README.md
+++ b/kerby-dist/README.md
@@ -22,27 +22,27 @@ Kerby-dist
The distribution of Kerby.
-### 1. To run with a standalone kdc server, kdcinit, kadmin, kinit and klist
+## 1. How to play with kerby kdc server
-* 1. Generate libraries for distribution:
+#### 1. Generate libraries for distribution:
```
mvn package -Pdist
```
-* 2. Run kdcinit:
+#### 2. Run kdcinit:
```
cd kerby-dist/kdc-dist
sh bin/kdcinit.sh [server-conf-dir] [keytab]
```
The admin principal will be exported into [keytab], it will be used by kadmin tool for the authentication.
-* 3. Start kerby-kdc-server:
+#### 3. Start kerby-kdc-server:
```
cd kerby-dist/kdc-dist
sh bin/start-kdc.sh [server-conf-dir] [work-dir]
```
-* 4. Run kadmin to add or delete principals:
+#### 4. Run kadmin to add or delete principals:
```
cd kerby-dist/kdc-dist
sh bin/kadmin.sh [server-conf-dir] -k [keytab]
@@ -50,13 +50,13 @@ sh bin/kadmin.sh [server-conf-dir] -k [keytab]
The keytab file is created by the kdcinit.
In kadmin, you can type "?" for help.
-* 5. Run kinit:
+#### 5. Run kinit:
```
cd kerby-dist/tool-dist
sh bin/kinit.sh -conf [client-conf-dir] [principal-name]
```
-* 6. Run klist:
+#### 6. Run klist:
```
cd kerby-dist/tool-dist
sh bin/klist.sh -c [credentials-cache]
@@ -90,53 +90,81 @@ An example of krb5.conf:
kdc_tcp_port = 8015
```
-### 2. Anonymous PKINIT configuration
-generate a private key:
+## 2. Anonymous PKINIT configuration
+#### 1. Generate a client private key:
```
openssl genrsa -out cakey.pem 2048
```
-generate the CA certificate:
+#### 2. Generate the CA certificate:
```
openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
```
-generate the KDC key:
+#### 3. Generate the KDC key:
```
openssl genrsa -out kdckey.pem 2048
```
-generate a certificate request:
+#### 4. Generate a certificate request:
```
openssl req -new -out kdc.req -key kdckey.pem
```
-generate the certificate:
+#### 5. Generate the kdc certificate:
+First, you will need a file named pkinit_extensions containing the following:
+```
+[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.5
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1=GeneralString:krbtgt
+princ2=GeneralString:${ENV::REALM}
+```
+Then:
```
openssl x509 -req -in kdc.req -CAkey cakey.pem -CA cacert.pem -out kdc.pem -extfile pkinit_extensions -extensions kdc_cert -CAcreateserial
```
-On the KDC, you must set the pkinit_identity variable to provide the KDC certificate.
+#### 6 . On the KDC, you must set the pkinit_identity variable to provide the KDC certificate.
Configure the following relation in the[kdcdefaults] section of the KDC’s kdc.conf file
```
pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
```
-On client hosts, you must set the pkinit_anchors variable in order to trust the issuing authority for the KDC certificate. Configure the following relation in krb5.conf file.
+#### 7. On client hosts, you must set the pkinit_anchors variable in order to trust the issuing authority for the KDC certificate. Configure the following relation in krb5.conf file.
```
pkinit_anchors = FILE:/etc/krb5/cacert.pem
```
-create the principalWELLKNOWN/ANONYMOUS using the command:
+#### 8. Create the principalWELLKNOWN/ANONYMOUS using the command:
```
sh bin/kadmin.sh [server-conf-dir] -k [keytab]
addprinc -randkey WELLKNOWN/ANONYMOUS
```
-To obtain anonymous credentials on a client, run:
+#### 9. To obtain anonymous credentials on a client, run:
```
sh bin/kinit.sh -conf [client-conf-dir] -n
```
The resulting tickets will have the client name WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS.
+#### References:
+[1]http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/pkinit.html#creating-certificates
+[2]http://k5wiki.kerberos.org/wiki/Pkinit_configuration
+