You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by pl...@apache.org on 2016/02/15 03:42:56 UTC

[32/36] directory-kerby git commit: Refine the readme.

Refine the readme.


Project: http://git-wip-us.apache.org/repos/asf/directory-kerby/repo
Commit: http://git-wip-us.apache.org/repos/asf/directory-kerby/commit/426e1140
Tree: http://git-wip-us.apache.org/repos/asf/directory-kerby/tree/426e1140
Diff: http://git-wip-us.apache.org/repos/asf/directory-kerby/diff/426e1140

Branch: refs/heads/kadmin-remote
Commit: 426e114058f2f4df924ee9f8b909a02c08127cb1
Parents: 82fd585
Author: plusplusjiajia <ji...@intel.com>
Authored: Fri Jan 29 14:27:40 2016 +0800
Committer: plusplusjiajia <ji...@intel.com>
Committed: Fri Jan 29 14:27:40 2016 +0800

----------------------------------------------------------------------
 kerby-dist/README.md | 62 ++++++++++++++++++++++++++++++++++-------------
 1 file changed, 45 insertions(+), 17 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/directory-kerby/blob/426e1140/kerby-dist/README.md
----------------------------------------------------------------------
diff --git a/kerby-dist/README.md b/kerby-dist/README.md
index a8be62a..e246956 100644
--- a/kerby-dist/README.md
+++ b/kerby-dist/README.md
@@ -22,27 +22,27 @@ Kerby-dist
 
 The distribution of Kerby.
 
-### 1. To run with a standalone kdc server, kdcinit, kadmin, kinit and klist
+## 1. How to play with kerby kdc server
 
-* 1. Generate libraries for distribution:
+#### 1. Generate libraries for distribution:
 ```
 mvn package -Pdist
 ```
 
-* 2. Run kdcinit:
+#### 2. Run kdcinit:
 ```
 cd kerby-dist/kdc-dist
 sh bin/kdcinit.sh [server-conf-dir] [keytab]
 ```
 The admin principal will be exported into [keytab], it will be used by kadmin tool for the authentication. 
 
-* 3. Start kerby-kdc-server:
+#### 3. Start kerby-kdc-server:
 ```
 cd kerby-dist/kdc-dist
 sh bin/start-kdc.sh [server-conf-dir] [work-dir]
 ```
 
-* 4. Run kadmin to add or delete principals:
+#### 4. Run kadmin to add or delete principals:
 ```
 cd kerby-dist/kdc-dist
 sh bin/kadmin.sh [server-conf-dir] -k [keytab]
@@ -50,13 +50,13 @@ sh bin/kadmin.sh [server-conf-dir] -k [keytab]
   The keytab file is created by the kdcinit.
   In kadmin, you can type "?" for help.
 
-* 5. Run kinit:
+#### 5. Run kinit:
 ```
 cd kerby-dist/tool-dist
 sh bin/kinit.sh -conf [client-conf-dir] [principal-name]
 ```
 
-* 6. Run klist:
+#### 6. Run klist:
 ```
 cd kerby-dist/tool-dist
 sh bin/klist.sh -c [credentials-cache]
@@ -90,53 +90,81 @@ An example of krb5.conf:
     kdc_tcp_port = 8015
 ```
 
-### 2. Anonymous PKINIT configuration
-generate a private key:
+## 2. Anonymous PKINIT configuration
+#### 1. Generate a client private key:
 ```
 openssl genrsa -out cakey.pem 2048
 ```
 
-generate the CA certificate:
+#### 2. Generate the CA certificate:
 ```
 openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
 ```
 
-generate the KDC key:
+#### 3. Generate the KDC key:
 ```
 openssl genrsa -out kdckey.pem 2048
 ```
 
-generate a certificate request:
+#### 4. Generate a certificate request:
 ```
 openssl req -new -out kdc.req -key kdckey.pem
 ```
 
-generate the certificate:
+#### 5. Generate the kdc certificate:
+First, you will need a file named pkinit_extensions containing the following:
+```
+[kdc_cert]
+basicConstraints=CA:FALSE
+keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
+extendedKeyUsage=1.3.6.1.5.2.3.5
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid,issuer
+issuerAltName=issuer:copy
+subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
+
+[kdc_princ_name]
+realm=EXP:0,GeneralString:${ENV::REALM}
+principal_name=EXP:1,SEQUENCE:kdc_principal_seq
+
+[kdc_principal_seq]
+name_type=EXP:0,INTEGER:1
+name_string=EXP:1,SEQUENCE:kdc_principals
+
+[kdc_principals]
+princ1=GeneralString:krbtgt
+princ2=GeneralString:${ENV::REALM}
+```
+Then:
 ```
 openssl x509 -req -in kdc.req -CAkey cakey.pem -CA cacert.pem -out kdc.pem -extfile pkinit_extensions -extensions kdc_cert -CAcreateserial
 ```
 
-On the KDC, you must set the pkinit_identity variable to provide the KDC certificate.
+#### 6 . On the KDC, you must set the pkinit_identity variable to provide the KDC certificate.
 Configure the following relation in the[kdcdefaults] section of the KDC’s kdc.conf file
 ```
 pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
 ```
 
-On client hosts, you must set the pkinit_anchors variable in order to trust the issuing authority for the KDC certificate. Configure the following relation in krb5.conf file.
+#### 7. On client hosts, you must set the pkinit_anchors variable in order to trust the issuing authority for the KDC certificate. Configure the following relation in krb5.conf file.
 ```
 pkinit_anchors = FILE:/etc/krb5/cacert.pem
 ```
 
-create the principalWELLKNOWN/ANONYMOUS using the command:
+#### 8. Create the principalWELLKNOWN/ANONYMOUS using the command:
 ```
 sh bin/kadmin.sh [server-conf-dir] -k [keytab]
 addprinc -randkey WELLKNOWN/ANONYMOUS
 ```
 
-To obtain anonymous credentials on a client, run:
+#### 9. To obtain anonymous credentials on a client, run:
 ```
 sh bin/kinit.sh -conf [client-conf-dir] -n
 ```
 The resulting tickets will have the client name WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS.
 
+#### References: 
+[1]http://web.mit.edu/Kerberos/krb5-1.12/doc/admin/pkinit.html#creating-certificates
+[2]http://k5wiki.kerberos.org/wiki/Pkinit_configuration
+