svn commit: r54114 - head/en_US.ISO8859-1/books/handbook/security

Benedict Reuschling bcr at FreeBSD.org
Fri May 8 13:58:06 UTC 2020 

Author: bcr
Date: Fri May  8 13:58:05 2020
New Revision: 54114
URL: https://svnweb.freebsd.org/changeset/doc/54114

Log:
  Updates to the Kerberos section:
  
  - prefer sysrc to manual edits of /etc/rc.conf
  - Add pkg install step
  - provide the full path to the kadmind.acl file
  - Updated messages from kadmin add command
  - Update Heimdal wiki link
  
  I changed only minor details in the original patch to
  conform to our doc style and conventions.
  
  Submitted by:	farhan_farhan.codes
  Approved by:	bcr@
  Differential Revision:	https://reviews.freebsd.org/D23596

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri May  8 09:16:46 2020	(r54113)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri May  8 13:58:05 2020	(r54114)
@@ -1207,12 +1207,17 @@ sendmail : PARANOID : deny</programlisting>
 	<acronym>KDC</acronym> is recommended for security
 	reasons.</para>
 
-      <para>To begin setting up a <acronym>KDC</acronym>, add these
-	lines to <filename>/etc/rc.conf</filename>:</para>
+      <para>To begin, install the <package>security/heimdal</package>
+	package as follows:</para>
 
-      <programlisting>kdc_enable="YES"
-kadmind_enable="YES"</programlisting>
+      <screen>&prompt.root; <userinput>pkg install heimdal</userinput></screen>
 
+      <para>Next, update <filename>/etc/rc.conf</filename> using
+	<command>sysrc</command> as follows:</para>
+
+      <screen>&prompt.root; <userinput>sysrc kdc_enable=yes</userinput>
+&prompt.root; <userinput>sysrc kadmind_enable=yes</userinput></screen>
+
       <para>Next, edit <filename>/etc/krb5.conf</filename> as
 	follows:</para>
 
@@ -1295,25 +1300,32 @@ Realm max ticket life [unlimited]:</screen>
       <para>Lastly, while still in <command>kadmin</command>, create
 	the first principal using <command>add</command>.  Stick to
 	the default options for the principal for now, as these can be
-	changed later with <command>modify</command>.  Type
-	<literal>?</literal> at the prompt to see the available
+	<command>kadmin</command>, using the <command>add</command>.
+	Stick to the default options for the admin principal for now,
+	as these can be changed later with <command>modify</command>.
+	Type <literal>?</literal> at the prompt to see the available
 	options.</para>
 
-      <screen>kadmin> <userinput>add <replaceable>tillman</replaceable></userinput>
+      <screen>kadmin> <userinput>add tillman</userinput>
 Max ticket life [unlimited]:
 Max renewable life [unlimited]:
+Principal expiration time [never]:
+Password expiration time [never]:
 Attributes []:
 Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput>
 Verifying password - Password: <userinput><replaceable>xxxxxxxx</replaceable></userinput></screen>
 
-      <para>Next, start the <acronym>KDC</acronym> services by running
-	<command>service kdc start</command> and
-	<command>service kadmind start</command>.  While there will
-	not be any kerberized daemons running at this point, it is
-	possible to confirm that the <acronym>KDC</acronym> is
-	functioning by obtaining a ticket for the
-	principal that was just created:</para>
+      <para>Next, start the <acronym>KDC</acronym> services by
+	running:</para>
 
+      <screen>&prompt.root; <userinput>service kdc start</userinput>
+&prompt.root; <userinput>service kadmind start</userinput></screen>
+
+      <para>While there will not be any kerberized daemons running at
+	this point, it is possible to confirm that the
+	<acronym>KDC</acronym> is functioning by obtaining a ticket
+	for the principle that was just created:</para>
+
       <screen>&prompt.user; <userinput>kinit <replaceable>tillman</replaceable></userinput>
 tillman at EXAMPLE.ORG's Password:</screen>
 
@@ -1380,8 +1392,9 @@ Aug 27 15:37:58 2013  Aug 28 01:37:58 2013  krbtgt/EXA
 	<command>kadmin</command> will prompt for the password to get
 	a fresh ticket.  The principal authenticating to the kadmin
 	service must be permitted to use the <command>kadmin</command>
-	interface, as specified in <filename>kadmind.acl</filename>.
-	See the section titled <quote>Remote administration</quote> in
+	interface, as specified in
+	<filename>/var/heimdal/kadmind.acl</filename>.  See the
+	section titled <quote>Remote administration</quote> in
 	<command>info heimdal</command> for details on designing
 	access control lists.  Instead of enabling remote
 	<command>kadmin</command> access, the administrator could
@@ -1756,8 +1769,8 @@ kadmind_enable="YES"</programlisting>
 
 	<listitem>
 	  <para><link
-	      xlink:href="https://www.h5l.org/">Heimdal
-	      <application>Kerberos</application> home
+	      xlink:href="https://github.com/heimdal/heimdal/wiki">Heimdal
+	      <application>Kerberos</application> project wiki
 	      page</link></para>
 	</listitem>
       </itemizedlist>

More information about the svn-doc-all mailing list