etc/000075500000000000000000000000001116641616600116375ustar00rootroot00000000000000etc/krb5.conf000064400000000000000000000011461116641616600133530ustar00rootroot00000000000000[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] ticket_lifetime = 24000 default_realm = EXAMPLE.COM dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.COM = { kdc = kerberos.example.com:88 admin_server = kerberos.example.com:749 default_domain = example.com } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM [kdc] profile = /var/lib/kerberos/krb5kdc/kdc.conf [pam] debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false etc/rc.d/000075500000000000000000000000001116641616600124655ustar00rootroot00000000000000etc/rc.d/init.d/000075500000000000000000000000001116641616600136525ustar00rootroot00000000000000etc/rc.d/init.d/kadmin000075500000000000000000000041261116641616600150460ustar00rootroot00000000000000#!/bin/bash # # kadmind Start and stop the Kerberos 5 administrative server. # # chkconfig: 345 35 65 # description: Kerberos 5 is a trusted third-party authentication system. \ # This script starts and stops the Kerberos 5 administrative \ # server, which should only be run on the master server for a \ # realm. # processname: kadmind # WITHOUT_RC_COMPAT=1 # Source function library. . /etc/init.d/functions # Get config. SourceIfNotEmpty /etc/sysconfig/network LOCKFILE=/var/lock/subsys/kadmin KDC_PATH=/var/lib/kerberos/krb5kdc RETVAL=0 extract_keys() { action $"Extracting kadm5 Service Keys: " \ /usr/sbin/kadmin.local -q "ktadd\ -k\ ${KDC_PATH}/kadm5.keytab\ kadmin/admin\ kadmin/changepw" } start() { is_yes "$NETWORKING" || return 0 [ -f "$KDC_PATH/principal" ] || return 0 [ ! -f "$KDC_PATH/kpropd.acl" ] || return 0 [ -f "$KDC_PATH/kadm5.keytab" ] || extract_keys start_daemon --lockfile "$LOCKFILE" --expect-user root -- kadmind RETVAL=$? return $RETVAL } stop() { stop_daemon --lockfile "$LOCKFILE" --expect-user root -- kadmind RETVAL=$? return $RETVAL } restart() { stop start } reload() { msg_reloading kadmind stop_daemon --expect-user root -HUP -- kadmind RETVAL=$? return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; reload) reload ;; restart) restart ;; condstop) if [ -e "$LOCKFILE" ]; then stop fi ;; condrestart) if [ -e "$LOCKFILE" ]; then restart fi ;; condreload) if [ -e "$LOCKFILE" ]; then reload fi ;; status) status --expect-user root -- kadmind RETVAL=$? ;; *) msg_usage "${0##*/} {start|stop|reload|restart|condstop|condrestart|condreload|status}" RETVAL=1 esac exit $RETVAL etc/rc.d/init.d/kdcrotate000075500000000000000000000020741116641616600155630ustar00rootroot00000000000000#!/bin/sh # # kdcrotate This shell script rotates the list of KDCs in /etc/krb5.conf # # Author: Based on SysV Init in RHS Linux by Damien Neil # Written by Nalin Dahyabhai # # chkconfig: 345 99 01 # # description: Rotate the list of KDCs listed in /etc/krb5.conf # PATH=/sbin:$PATH # Only run in runlevels where we're 'enabled', which should only be 345. if [ "$1" != "start" ] ; then exit 0 fi # source function library . /etc/rc.d/init.d/functions action "Rotating KDC list" "awk ' /^[[:space:]]*kdc[[:space:]]*=/ { \\ if(length(firstkdc) == 0) { \\ firstkdc = \$0; \\ } else { \\ if(length(kdclist) > 0) { \\ kdclist = kdclist ORS; \\ } \\ kdclist = kdclist \$0; \\ } \\ next; \\ } \\ { \\ if(length(kdclist) > 0) { \\ NEWCONFIG = NEWCONFIG kdclist ORS; \\ } \\ if(length(firstkdc) > 0) { \\ NEWCONFIG = NEWCONFIG firstkdc ORS; \\ } \\ firstkdc = \"\"; \\ kdclist = \"\"; \\ NEWCONFIG = NEWCONFIG \$0 ORS; \\ } \\ END {printf \"%s\", NEWCONFIG > \"/etc/krb5.conf\"}' /etc/krb5.conf" etc/rc.d/init.d/kprop000075500000000000000000000034621116641616600147400ustar00rootroot00000000000000#!/bin/bash # # kpropd.init Start and stop the Kerberos 5 propagation client. # # chkconfig: 345 35 65 # description: Kerberos 5 is a trusted third-party authentication system. \ # This script starts and stops the service that allows this \ # KDC to receive updates from your master KDC. # processname: kpropd # WITHOUT_RC_COMPAT=1 # Source function library. . /etc/init.d/functions # Get config. SourceIfNotEmpty /etc/sysconfig/network LOCKFILE=/var/lock/subsys/kprop KDC_PATH=/var/lib/kerberos/krb5kdc RETVAL=0 # Sheel functions to cut down on useless shell instances. start() { is_yes "$NETWORKING" || return 0 [ -f "$KDC_PATH/kpropd.acl" ] || return 0 start_daemon --lockfile "$LOCKFILE" -- kpropd -S RETVAL=$? return $RETVAL } stop() { stop_daemon --lockfile "$LOCKFILE" -- kpropd RETVAL=$? return $RETVAL } restart() { stop start } reload() { msg_reloading kpropd stop_daemon --expect-user root -HUP -- kpropd RETVAL=$? return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; reload) reload ;; restart) restart ;; condstop) if [ -e "$LOCKFILE" ]; then stop fi ;; condrestart) if [ -e "$LOCKFILE" ]; then restart fi ;; condreload) if [ -e "$LOCKFILE" ]; then reload fi ;; status) status --expect-user root -- kpropd RETVAL=$? ;; *) msg_usage "${0##*/} {start|stop|reload|restart|condstop|condrestart|condreload|status}" RETVAL=1 esac exit $RETVAL etc/rc.d/init.d/krb5kdc000075500000000000000000000034511116641616600151300ustar00rootroot00000000000000#!/bin/bash # # krb5kdc Start and stop the Kerberos 5 servers. # # chkconfig: 345 35 65 # description: Kerberos 5 is a trusted third-party authentication system. \ # This script starts and stops the server that Kerberos IV and 5 \ # clients need to connect to in order to obtain credentials. # processname: krb5kdc # WITHOUT_RC_COMPAT=1 # Source function library. . /etc/init.d/functions # Get config. SourceIfNotEmpty /etc/sysconfig/network LOCKFILE=/var/lock/subsys/krb5kdc KDC_PATH=/var/lib/kerberos/krb5kdc/ RETVAL=0 start() { is_yes "$NETWORKING" || return 0 [ -f "$KDC_PATH/principal" ] || return 0 start_daemon --lockfile "$LOCKFILE" -- krb5kdc RETVAL=$? return $RETVAL } stop() { stop_daemon --lockfile "$LOCKFILE" -- krb5kdc RETVAL=$? return $RETVAL } restart() { stop start } reload() { msg_reloading krb5kdc stop_daemon --pidfile "$PIDFILE" --expect-user root -HUP -- krb5kdc RETVAL=$? return $RETVAL } # See how we were called. case "$1" in start) start ;; stop) stop ;; reload) reload ;; restart) restart ;; condstop) if [ -e "$LOCKFILE" ]; then stop fi ;; condrestart) if [ -e "$LOCKFILE" ]; then restart fi ;; condreload) if [ -e "$LOCKFILE" ]; then reload fi ;; status) status --pidfile "$PIDFILE" --expect-user root -- krb5kdc RETVAL=$? ;; *) msg_usage "${0##*/} {start|stop|reload|restart|condstop|condrestart|condreload|status}" RETVAL=1 esac exit $RETVAL etc/xinetd.d/000075500000000000000000000000001116641616600133545ustar00rootroot00000000000000etc/xinetd.d/eklogin000064400000000000000000000004721116641616600147320ustar00rootroot00000000000000# default: off # description: The encrypting kerberized rlogin server accepts rlogin sessions \ # authenticated and encrypted with Kerberos 5. service eklogin { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/klogind server_args = -e -5 disable = yes } etc/xinetd.d/gssftp000064400000000000000000000005021116641616600146020ustar00rootroot00000000000000# default: off # description: The kerberized FTP server accepts FTP connections \ # that can be authenticated with Kerberos 5. service ftp { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/krb5-ftpd server_args = -l -a log_on_failure += USERID disable = yes } etc/xinetd.d/klogin000064400000000000000000000004551116641616600145660ustar00rootroot00000000000000# default: off # description: The kerberized rlogin server accepts BSD-style rlogin sessions, \ # but uses Kerberos 5 authentication. service klogin { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/klogind server_args = -5 disable = yes } etc/xinetd.d/krb5-telnet000064400000000000000000000004771116641616600154430ustar00rootroot00000000000000# default: off # description: The kerberized telnet server accepts normal telnet sessions, \ # but can also use Kerberos 5 authentication. service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/krb5-telnetd log_on_failure += USERID disable = yes } etc/xinetd.d/kshell000064400000000000000000000004531116641616600145630ustar00rootroot00000000000000# default: off # description: The kerberized rshell server accepts rshell commands \ # authenticated and encrypted with Kerberos 5. service kshell { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/kshd server_args = -e -5 disable = yes } var/000075500000000000000000000000001116641616600116545ustar00rootroot00000000000000var/lib/000075500000000000000000000000001116641616600124225ustar00rootroot00000000000000var/lib/kerberos/000075500000000000000000000000001116641616600142365ustar00rootroot00000000000000var/lib/kerberos/krb5kdc/000075500000000000000000000000001116641616600155635ustar00rootroot00000000000000var/lib/kerberos/krb5kdc/kadm5.acl000064400000000000000000000000261116641616600172430ustar00rootroot00000000000000*/admin@EXAMPLE.COM * var/lib/kerberos/krb5kdc/kdc.conf000064400000000000000000000005121116641616600171710ustar00rootroot00000000000000[kdcdefaults] acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words admin_keytab = /var/lib/kerberos/krb5kdc/kadm5.keytab [realms] EXAMPLE.COM = { master_key_type = des-cbc-crc supported_enctypes = rc4-hmac:normal des-cbc-crc:normal des3-cbc-raw:normal des3-cbc-sha1:normal des-cbc-crc:afs3 }