1 2<!DOCTYPE html> 3 4<html> 5 <head> 6 <meta charset="utf-8" /> 7 <meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" content="Docutils 0.17.1: http://docutils.sourceforge.net/" /> 8 9 <title>Installing and configuring UNIX client machines — MIT Kerberos Documentation</title> 10 <link rel="stylesheet" type="text/css" href="../_static/pygments.css" /> 11 <link rel="stylesheet" type="text/css" href="../_static/agogo.css" /> 12 <link rel="stylesheet" type="text/css" href="../_static/kerb.css" /> 13 <script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"></script> 14 <script src="../_static/jquery.js"></script> 15 <script src="../_static/underscore.js"></script> 16 <script src="../_static/doctools.js"></script> 17 <link rel="author" title="About these documents" href="../about.html" /> 18 <link rel="index" title="Index" href="../genindex.html" /> 19 <link rel="search" title="Search" href="../search.html" /> 20 <link rel="copyright" title="Copyright" href="../copyright.html" /> 21 <link rel="next" title="UNIX Application Servers" href="install_appl_srv.html" /> 22 <link rel="prev" title="Installing KDCs" href="install_kdc.html" /> 23 </head><body> 24 <div class="header-wrapper"> 25 <div class="header"> 26 27 28 <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> 29 30 <div class="rel"> 31 32 <a href="../index.html" title="Full Table of Contents" 33 accesskey="C">Contents</a> | 34 <a href="install_kdc.html" title="Installing KDCs" 35 accesskey="P">previous</a> | 36 <a href="install_appl_srv.html" title="UNIX Application Servers" 37 accesskey="N">next</a> | 38 <a href="../genindex.html" title="General Index" 39 accesskey="I">index</a> | 40 <a href="../search.html" title="Enter search criteria" 41 accesskey="S">Search</a> | 42 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing and configuring UNIX client machines">feedback</a> 43 </div> 44 </div> 45 </div> 46 47 <div class="content-wrapper"> 48 <div class="content"> 49 <div class="document"> 50 51 <div class="documentwrapper"> 52 <div class="bodywrapper"> 53 <div class="body" role="main"> 54 55 <section id="installing-and-configuring-unix-client-machines"> 56<h1>Installing and configuring UNIX client machines<a class="headerlink" href="#installing-and-configuring-unix-client-machines" title="Permalink to this headline">¶</a></h1> 57<p>The Kerberized client programs include <a class="reference internal" href="../user/user_commands/kinit.html#kinit-1"><span class="std std-ref">kinit</span></a>, 58<a class="reference internal" href="../user/user_commands/klist.html#klist-1"><span class="std std-ref">klist</span></a>, <a class="reference internal" href="../user/user_commands/kdestroy.html#kdestroy-1"><span class="std std-ref">kdestroy</span></a>, and <a class="reference internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpasswd</span></a>. All of 59these programs are in the directory <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">BINDIR</span></a>.</p> 60<p>You can often integrate Kerberos with the login system on client 61machines, typically through the use of PAM. The details vary by 62operating system, and should be covered in your operating system’s 63documentation. If you do this, you will need to make sure your users 64know to use their Kerberos passwords when they log in.</p> 65<p>You will also need to educate your users to use the ticket management 66programs kinit, klist, and kdestroy. If you do not have Kerberos 67password changing integrated into the native password program (again, 68typically through PAM), you will need to educate users to use kpasswd 69in place of its non-Kerberos counterparts passwd.</p> 70<section id="client-machine-configuration-files"> 71<h2>Client machine configuration files<a class="headerlink" href="#client-machine-configuration-files" title="Permalink to this headline">¶</a></h2> 72<p>Each machine running Kerberos should have a <a class="reference internal" href="conf_files/krb5_conf.html#krb5-conf-5"><span class="std std-ref">krb5.conf</span></a> file. 73At a minimum, it should define a <strong>default_realm</strong> setting in 74<a class="reference internal" href="conf_files/krb5_conf.html#libdefaults"><span class="std std-ref">[libdefaults]</span></a>. If you are not using DNS SRV records 75(<a class="reference internal" href="realm_config.html#kdc-hostnames"><span class="std std-ref">Hostnames for KDCs</span></a>) or URI records (<a class="reference internal" href="realm_config.html#kdc-discovery"><span class="std std-ref">KDC Discovery</span></a>), it must 76also contain a <a class="reference internal" href="conf_files/krb5_conf.html#realms"><span class="std std-ref">[realms]</span></a> section containing information for your 77realm’s KDCs.</p> 78<p>Consider setting <strong>rdns</strong> to false in order to reduce your dependence 79on precisely correct DNS information for service hostnames. Turning 80this flag off means that service hostnames will be canonicalized 81through forward name resolution (which adds your domain name to 82unqualified hostnames, and resolves CNAME records in DNS), but not 83through reverse address lookup. The default value of this flag is 84true for historical reasons only.</p> 85<p>If you anticipate users frequently logging into remote hosts 86(e.g., using ssh) using forwardable credentials, consider setting 87<strong>forwardable</strong> to true so that users obtain forwardable tickets by 88default. Otherwise users will need to use <code class="docutils literal notranslate"><span class="pre">kinit</span> <span class="pre">-f</span></code> to get 89forwardable tickets.</p> 90<p>Consider adjusting the <strong>ticket_lifetime</strong> setting to match the likely 91length of sessions for your users. For instance, if most of your 92users will be logging in for an eight-hour workday, you could set the 93default to ten hours so that tickets obtained in the morning expire 94shortly after the end of the workday. Users can still manually 95request longer tickets when necessary, up to the maximum allowed by 96each user’s principal record on the KDC.</p> 97<p>If a client host may access services in different realms, it may be 98useful to define a <a class="reference internal" href="conf_files/krb5_conf.html#domain-realm"><span class="std std-ref">[domain_realm]</span></a> mapping so that clients know 99which hosts belong to which realms. However, if your clients and KDC 100are running release 1.7 or later, it is also reasonable to leave this 101section out on client machines and just define it in the KDC’s 102krb5.conf.</p> 103</section> 104</section> 105 106 107 <div class="clearer"></div> 108 </div> 109 </div> 110 </div> 111 </div> 112 <div class="sidebar"> 113 114 <h2>On this page</h2> 115 <ul> 116<li><a class="reference internal" href="#">Installing and configuring UNIX client machines</a><ul> 117<li><a class="reference internal" href="#client-machine-configuration-files">Client machine configuration files</a></li> 118</ul> 119</li> 120</ul> 121 122 <br/> 123 <h2>Table of contents</h2> 124 <ul class="current"> 125<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> 126<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current"> 127<li class="toctree-l2 current"><a class="reference internal" href="install.html">Installation guide</a><ul class="current"> 128<li class="toctree-l3"><a class="reference internal" href="install_kdc.html">Installing KDCs</a></li> 129<li class="toctree-l3 current"><a class="current reference internal" href="#">Installing and configuring UNIX client machines</a></li> 130<li class="toctree-l3"><a class="reference internal" href="install_appl_srv.html">UNIX Application Servers</a></li> 131</ul> 132</li> 133<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li> 134<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li> 135<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li> 136<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li> 137<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li> 138<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li> 139<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li> 140<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li> 141<li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure hosts</a></li> 142<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li> 143<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li> 144<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li> 145<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li> 146<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li> 147<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li> 148<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li> 149<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li> 150<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li> 151<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li> 152<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li> 153<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li> 154<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li> 155<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li> 156</ul> 157</li> 158<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> 159<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li> 160<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> 161<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> 162<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> 163<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> 164<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> 165<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> 166<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> 167</ul> 168 169 <br/> 170 <h4><a href="../index.html">Full Table of Contents</a></h4> 171 <h4>Search</h4> 172 <form class="search" action="../search.html" method="get"> 173 <input type="text" name="q" size="18" /> 174 <input type="submit" value="Go" /> 175 <input type="hidden" name="check_keywords" value="yes" /> 176 <input type="hidden" name="area" value="default" /> 177 </form> 178 179 </div> 180 <div class="clearer"></div> 181 </div> 182 </div> 183 184 <div class="footer-wrapper"> 185 <div class="footer" > 186 <div class="right" ><i>Release: 1.21.3</i><br /> 187 © <a href="../copyright.html">Copyright</a> 1985-2024, MIT. 188 </div> 189 <div class="left"> 190 191 <a href="../index.html" title="Full Table of Contents" 192 >Contents</a> | 193 <a href="install_kdc.html" title="Installing KDCs" 194 >previous</a> | 195 <a href="install_appl_srv.html" title="UNIX Application Servers" 196 >next</a> | 197 <a href="../genindex.html" title="General Index" 198 >index</a> | 199 <a href="../search.html" title="Enter search criteria" 200 >Search</a> | 201 <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Installing and configuring UNIX client machines">feedback</a> 202 </div> 203 </div> 204 </div> 205 206 </body> 207</html>