From 40ea57dfe954256d354a2613e22081674dc9e43d Mon Sep 17 00:00:00 2001 From: ajacoutot <> Date: Wed, 10 Jul 2013 05:12:15 +0000 Subject: [PATCH] Ship a simpler krb5.conf which logs to syslog(3) by default. Remove useless README -- the info(1) and man(1) pages contains all the required information. ok dcoppa@ robert@ beck@ --- src/etc/Makefile | 4 +- src/etc/kerberosV/README | 19 --------- src/etc/kerberosV/krb5.conf.example | 66 ++++++++--------------------- 3 files changed, 18 insertions(+), 71 deletions(-) delete mode 100644 src/etc/kerberosV/README diff --git a/src/etc/Makefile b/src/etc/Makefile index c897575b..d2060550 100644 --- a/src/etc/Makefile +++ b/src/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.332 2013/06/01 14:06:20 naddy Exp $ +# $OpenBSD: Makefile,v 1.333 2013/07/10 05:12:15 ajacoutot Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= Canada/Mountain @@ -167,8 +167,6 @@ distribution-etc-root-var: distrib-dirs ${INSTALL} -c -o root -g wheel -m 600 /dev/null \ ${DESTDIR}/etc/skel/.ssh/authorized_keys cd kerberosV; \ - ${INSTALL} -c -o root -g wheel -m 644 README \ - ${DESTDIR}/etc/kerberosV; \ ${INSTALL} -c -o root -g wheel -m 644 krb5.conf.example \ ${DESTDIR}/etc/kerberosV cd amd; \ diff --git a/src/etc/kerberosV/README b/src/etc/kerberosV/README deleted file mode 100644 index f944d755..00000000 --- a/src/etc/kerberosV/README +++ /dev/null @@ -1,19 +0,0 @@ -# $OpenBSD: README,v 1.3 2003/08/01 08:42:37 hin Exp $ - -Notes about the KerberosV support in OpenBSD: - -- Please check the heimdal info page (type "info heimdal") to get more - information. A number of manpages also exists, although the info-page - is currently the best installation instruction. - -- There are some very informational RFCs in the source directory. - -- Before you use KerberosV you should setup an /etc/kerberosV/krb5.conf - according to the instructions in the heimdal infopage. - -- The directory /var/heimdal contains logs, the database and acl files, - and must be created before the kdc, kadmind or kpasswdd can be used. - Disclosing the database would be a _really_ bad thing. - -- The file /etc/kerberosV/krb5.keytab contains the encryption keys and - its important that you keep this file secret. diff --git a/src/etc/kerberosV/krb5.conf.example b/src/etc/kerberosV/krb5.conf.example index 1f436c5f..5b9b4b9c 100644 --- a/src/etc/kerberosV/krb5.conf.example +++ b/src/etc/kerberosV/krb5.conf.example @@ -1,59 +1,27 @@ -# $OpenBSD: krb5.conf.example,v 1.6 2005/02/07 06:08:10 david Exp $ +# $OpenBSD: krb5.conf.example,v 1.7 2013/07/10 05:12:15 ajacoutot Exp $ # -# Example Kerberos 5 configuration file. You may need to change the defaults -# in this file to match your environment. -# -# See krb5.conf(5) and the heimdal infopage for more information. -# -# Normally, the realm should be your DNS domain name with uppercase -# letters. In this example file, we've written the realm as MY.REALM -# and the domain as my.domain to make it clear what we refer to. -# -# Normally, it is not necessary to do any changes on client-only -# machines, as it's recommended that the information needed is put -# in DNS. -# On server machines, it is not strictly necessary, but it is recommended -# to have local configuration. -# -[libdefaults] - # Set the realm of this host here - default_realm = MY.REALM - - # Maximum allowed time difference between KDC and this host - clockskew = 300 +# Kerberos 5 minimal configuration example. +# See krb5.conf(5) and the heimdal info(1) page for more information. - # Uncomment this if you run NAT on the client side of kauth. - # This may be considered a security issue though. - # no-addresses = yes +[libdefaults] + # local realm(s) + default_realm = DOMAIN.TLD [realms] - MY.REALM = { - # Specify KDC here - kdc = kerberos.my.domain - - # Administration server, used for creating users etc. - admin_server = kerberos.my.domain - } + DOMAIN.TLD = { + # list of KDC(s) for this realm + kdc = kerberos.domain.tld - # Example of a "foreign" realm - OTHER.REALM = { - kdc = kerberos.other.domain - default_domain = other.domain - v4_domains = other.domain + # admin server for this realm + admin_server = kerberos.domain.tld } -# This sections describes how to figure out a realm given a DNS name -[domain_realm] - .my.domain = MY.REALM - - [kadmin] - # This is the trickiest part of a Kerberos installation. See the - # heimdal infopage for more information about encryption types. - - # For a k5 only realm, this will be fine -# default_keys = v5 + # default salt string + default_keys = v5 [logging] - # The KDC logs by default, but it's nice to have a kadmind log as well. - kadmind = FILE:/var/heimdal/kadmind.log + # log to syslog(3) + kdc = SYSLOG:INFO:DAEMON + kpasswdd = SYSLOG:INFO:AUTH + default = SYSLOG:INFO:DAEMON