Users' Guide to NetSolve V1.4:
Prev	Chapter 18. Security in NetSolve	Next

Installing a Kerberized Server

Install Kerberos on the server machine. See Kerberos V5 Installation Guide for instructions for how to do this. You do not have to install all of the Kerberos clients just to run a NetSolve server, but you do need kadmin and components that deal with Kerberos tickets like kinit and kdestroy.
Define a Kerberos service principal for the NetSolve server. To define the principal for machine foo.bar.com:
1. Get the name and the password of a Kerberos principal that is authorized to run kadmin and create principals.
2. Log on to the machine where you want to install the Kerberized NetSolve server. Make sure you have a secure connection to the client machine (perhaps you're typing on the machine's keyboard, or perhaps you're using ssh to log in to that machine), so that your password will not be exposed on the net.
3. Do a kinit to acquire a ticket that identifies you as someone who can create principals.
4. Create a service principal for the NetSolve server on your host. If your host is named foo.bar.com, the service principal should be named netsolve/foo.bar.com:
  UNIX> kadmin
  (if you don't have a Kerberos ticket yet, kadmin will try to get one for you based on your UNIX username. If there is a Kerberos principal for that username, and that principal has the ability to create new principals, just type in your password when asked to do so. Otherwise run kinit to get a ticket for some other principal - one that has the ability to create new principals - and then run kadmin again.)
  UNIX> kadmin: addprincipal -randkey netsolve/foo.bar.com UNIX> kadmin: ktadd -k /etc/netsolve.keytab netsolve/foo.bar.com
  This will extract the key into the file /etc/netsolve.keytab. You can put this keytab any place you want it but it must be on a local filesystem. If you put the file on a NFS-mounted filesystem then (a) you will compromise the security of your server by exposing the key to eavesdroppers, and (b) there's a good chance that NFS file locking bugs will cause your NetSolve server to get wedged.
5. While you're at it, you might want to define other service principals for the same host. For instance, a service principal of the form host/foo.bar.com is needed if you want to allow Kerberized logins to that host. This is straightforward:
  UNIX> kadmin: addprincipal -randkey host/foo.bar.com UNIX> kadmin: ktadd host/foo.bar.com
6. Make sure that /etc/netsolve.keytab is readable only by the UNIX user-id that will run the NetSolve server. (Permissions should be 0600, -rw-------). The owner should not be root.

Prev	Home	Next
Compiling a Kerberized Server	Up	Running a Kerberized Server