Realms”
(page 89). Carefully set up the machine that is to serve as the KDC and
apply tight security, see
Section 6.4.3, “Setting Up the KDC Hardware”
(page 90).
Set up a reliable time source in your network to make sure all tickets contain valid
timestamps, see
Section 6.4.4, “Configuring Time Synchronization”
(page 91).
Basic Configuration
Configure the KDC and the clients, see
Section 6.4.5, “Configuring the KDC”
(page 92) and
Section 6.4.6, “Configuring Kerberos Clients”
(page 94). Enable
remote administration for your Kerberos service, so you do not need physical access
to your KDC machine, see
Section 6.4.7, “Configuring Remote Kerberos Admin-
istration”
(page 100). Create service principals for every service in your realm, see
Section 6.4.8, “Creating Kerberos Service Principals”
(page 102).
Enabling Kerberos Authentication
Various services in your network can make use of Kerberos. To add Kerberos
password-checking to applications using PAM, proceed as outlined in
Section 6.4.9,
“Enabling PAM Support for Kerberos”
(page 103). To configure SSH or LDAP
with Kerberos authentication, proceed as outlined in
Section 6.4.10, “Configuring
SSH for Kerberos Authentication”
(page 104) and
Section 6.4.11, “Using LDAP
and Kerberos”
(page 105).
6.4.1 Kerberos Network Topology
Any Kerberos environment must meet the following requirements to be fully functional:
• Provide a DNS server for name resolution across your network, so clients and
servers can locate each other. Refer to Chapter 22, The Domain Name System
(↑Administration Guide) for information on DNS setup.
• Provide a time server in your network. Using exact time stamps is crucial to a
Kerberos setup, because valid Kerberos tickets must contain correct time stamps.
Refer to Chapter 21, Time Synchronization with NTP (↑Administration Guide) for
information on NTP setup.
• Provide a key distribution center (KDC) as the center piece of the Kerberos archi-
tecture. It holds the Kerberos database. Use the tightest possible security policy on
this machine to prevent any attacks on this machine compromising your entire in-
frastructure.
• Configure the client machines to use Kerberos authentication.
88
Security Guide
Содержание LINUX ENTERPRISE DESKTOP 11
Страница 1: ...SUSE Linux Enterprise Server www novell com 11 March 17 2009 Security Guide...
Страница 9: ...32 7 Managing Audit Event Records Using Keys 433 33 Useful Resources 435...
Страница 10: ......
Страница 29: ...Part I Authentication...
Страница 30: ......
Страница 55: ...Figure 4 2 YaST LDAP Server Configuration LDAP A Directory Service 41...
Страница 126: ......
Страница 127: ...Part II Local Security...
Страница 128: ......
Страница 158: ......
Страница 173: ...Part III Network Security...
Страница 174: ......
Страница 194: ......
Страница 197: ...Figure 16 2 Scenario 2 Figure 16 3 Scenario 3 Configuring VPN Server 183...
Страница 210: ......
Страница 228: ......
Страница 229: ...Part IV Confining Privileges with Novell AppArmor...
Страница 230: ......
Страница 274: ......
Страница 300: ......
Страница 328: ......
Страница 340: ......
Страница 342: ......
Страница 386: ......
Страница 387: ...Part V The Linux Audit Framework...
Страница 388: ......