Содержание

Question: Q: com.apple.kerberos.kdc certificate
Helpful answers
Настройка Kerberos-аутентификации с использованием смарт-карт
Краткое введение
Терминология Kerberos
Файлы настроек Kerberos
Настройка рабочего окружения
Настройка сети
Установка необходимых пакетов
Настройка Kerberos
Базовые настройки
Настройка аутентификации по открытому ключу
Настройка PAM-аутентификации с использованием Kerberos
Заключение
ОС OS X Lion: включение проверки подлинности по протоколу Kerberos в стороннем центре распространения ключей
Дополнительная информация
Macintosh Development
Specifying ticket lifetime when logging in
Graphical ticket status & time remaining indicator
Kerberos Dock Menu

Question: Q: com.apple.kerberos.kdc certificate

iMac intel 1.83 GHz, 15″ MacBook Pro, Mac OS X (10.5.2), 2GB RAM

Posted on Apr 5, 2008 8:21 PM

You should keep them. See this article

I am experiencing the problem that the above article refers to — i.e. when connecting to a computer in the .local domain, I am prompted for a password, rather then being authenticated automatically with Kerberos. However, I have not removed my com.apple.kerberos.kdc certificate or key pair on any of my Macs. Also, I can see that the ‘Not Valid Before’ date matches when I installed Leopard on that particular computer, which is different for each of my Macs.

So my problem is continuing.

Posted on Apr 12, 2008 5:42 AM

Helpful answers

I am having issue with com.apple.kerberos.kdc certificate(s) as well. I recently setup OS X Server 10.5 with updates to v10.5.2. I cannot get Mail, iCal/CalDAV, Sharing, and other serves to work from my client computers. It appears the issue is related to security and certficates named com.apple.kerberos.kdc & com.apple.systemdefault where the root certificates are self-signed and have the error message, «This root certificate is not trusted». Currently working to resolve this issue. So far it looks like I need to use Certificate Assistant to setup myself as CA (certificate authority) on my server and then set the trust values for the certificate. Since I’m a new comer to OS X Server I am still researching and looking for direction prior to proceeding. I setup OS X 10.5.x server in standard mode using Server Assistant, but expect to eventual switch to advanced mode when I get up to speed with server setting and preferences.

Anyone have any advise on how to resolve this certificate problem?

Apr 7, 2008 1:46 PM

I have a related question. Because of a security concern, I studied keychain access entries offline, found these certificates marked «This root certificate is not trusted»:
com.apple.kerberos.kdc
com.apple.systemdeault
Dashboard Advisory

Absent any other clues, I deleted them before reconnecting to the network. I see no consequence yet, but now I find
http://support.apple.com/kb/TS1452
which says do not delete these.

1. What is the consequence of deletion?
2. How do I restore them short of reinstalling 10.5 (please, not that!)?

Jun 10, 2008 10:29 AM

There’s more to the conversation

Loading page content

Page content loaded

Anyone have any advise on how to resolve this certificate problem?

Apr 7, 2008 1:46 PM

You should keep them. See this article

So my problem is continuing.

Apr 12, 2008 5:42 AM

Absent any other clues, I deleted them before reconnecting to the network. I see no consequence yet, but now I find
http://support.apple.com/kb/TS1452
which says do not delete these.

1. What is the consequence of deletion?
2. How do I restore them short of reinstalling 10.5 (please, not that!)?

Источник

Настройка Kerberos-аутентификации с использованием смарт-карт

В продолжение давней темы про использование двухфакторной аутентификации в ОС GNU/Linux позвольте рассказать про схему работы и настройку аутентификации с помощью Kerberos. В этой статье мы рассмотрим процесс настройки MIT Kerberos для аутентификации пользователей по сертификатам и ключевым парам, находящимся на USB-токене. Также материалы, изложенные в статье, можно использовать для настройки аутентификации в домене Windows.

Краткое введение

Kerberos – сетевой протокол аутентификации, позволяющий передавать данные через незащищённые сети для безопасной идентификации. Ориентирован, в первую очередь, на клиент-серверную модель и обеспечивает взаимную аутентификацию – оба пользователя через сервер подтверждают личности друг друга.

Стоит отметить, что Kerberos в первую очередь является протоколом, а не конкретной системой аутентификации. Его реализации используются в различных операционных системах, в том числе и в Windows, как метод аутентификации пользователей в домене. Существует несколько open source реализаций протокола Kerberos, например оригинальная MIT Kerberos и Heimdal. Такой зоопарк возник из-за ограничений США на экспорт криптографических средств защиты информации, на сегодня эта ситуация вокруг MIT Kerberos уже улеглась. В статье мы рассмотрим процесс настройки для MIT Kerberos V5.

Терминология Kerberos

Билет (ticket) – временные данные, выдаваемые клиенту для аутентификации на сервере, на котором располагается необходимая служба.
Клиент (client) – некая сущность в сети (пользователь, хост или сервис), которая может получить билет от Kerberos.
Центр выдачи ключей (key distribution center, KDC) – сервис, выдающий билеты Kerberos.
Область (realm) – сеть, используемая Kerberos, состоящая из серверов KDC и множества клиентов. Имя realm регистрозависимо, обычно пишется в верхнем регистре и совпадает с именем домена.
Принципал (principal) – уникальное имя для клиента, для которого разрешается аутентификация в Kerberos. Записывается в виде root[/instance]@REALM.

Файлы настроек Kerberos

На сервере:

/etc/krb5kdc/kdc.conf — настройки KDC

На клиенте и сервере:

/etc/kbr5.conf — настройки сервера аутентификации (описание realms, доменных имен и других настроек)

Настройка рабочего окружения

Для начала необходимо развернуть среду, в которой будет производиться аутентификация. Наиболее просто это сделать, взяв две виртуальные машины, находящиеся в одной подсети. Достаточно установить на одну виртуальную машину какую-нибудь Ubuntu (это будет наш сервер), а затем клонировать ее и получить клиента. При написании статьи я воспользовался свежей Ubuntu 12.10 (x86) и виртуальной машиной от VMWare. Чтобы виртуальным машинам было удобнее видеть друг друга по сети, стоит переключить сетевые карты в Bridged-режим.
Важно! Следите за тем, чтобы время на клиенте и сервере было синхронизировано, это необходимо для корректной работы Kerberos.

Настройка сети

Клиенты Kerberos ищут свои сервера по доменным именам, поэтому необходимо настроить DNS и убедиться, что имена серверов успешно разрешаются. В нашем примере достаточно занести доменное имя сервера в /etc/hosts, что я и сделал. Схема «сети» изображена ниже.

Установка необходимых пакетов

На сервере нам потребуются:

krb5-kdc – сервис KDC
krb5-admin-server – административный сервер Kerberos (он ведет контроль учетных записей пользователей)
krb5-pkinit – модуль расширения Kerberos для аутентификации по сертификатам

На клиент надо поставить следующие пакеты:

krb5-user – базовый набор утилит для работы клиентской аутентификации
krb5-config – файлы настроек Kerberos
krb5-pkinit
libpam-krb5 – модуль PAM для использования Kerberos-аутентификации
pcscd, opensc, libengine-pkcs11-openssl – пакеты, необходимые для работы с токенами

При установке пакетов у нас спросят настройки по умолчанию, мы будем использовать следующие:

Default realm: AKTIV-TEST.RU
Имена серверов (admin server и KDC): aktiv-test.ru (он же прописан в /etc/hosts на клиенте)
Пользователь: testuser@AKTIV-TEST.RU

Настройка Kerberos

Базовые настройки

Настройка аутентификации по открытому ключу

На сервере:

Создадим ключевую пару и сертификат нашего «УЦ». Здесь мы сгененируем ключ УЦ и создадим самоподписанный сертификат с помощью openssl. В реальном мире ключ естественно надо надежно защитить от попадания в чужие руки.
Создадим ключевую пару для KDC, заявку на сертификат и выпишем его сами себе.
Здесь нам потребуется специальный файл расширений OpenSSL (pkinit_extensions), в котором будут указаны дополнительные поля сертификатов, используемых в Kerberos. В частности, мы зададим:

Extended Key Usage (EKU) – идентификатор (OID), говорящий о том, как планируется использовать сертификат
otherName – поле, задающее нашего принципала, для которого выписывается сертификат

После этого перенесем следующие файлы в /var/lib/krb5kdc/:

kdc.pem
kdckey.pem
cacert.pem

На сервере отредактируем настройки Kerberos (файл /etc/krb5kdc/kdc.conf) для использования ключей и сертификатов сервера и УЦ:
Далее на сервере необходимо включить предварительную аутентификацию для нашего пользователя.

Дальнейшие действия будем выполнять на клиенте

Настройка PAM-аутентификации с использованием Kerberos

Ранее при настройке клиентской машины мы поставили пакет libpam-krb5. Он поможет нам выполнить аутентификацию в Kerberos при входе в систему, а также в приложениях, использующих системную аутентификацию (например login, lightdm и проч.). Для подключения модуля PAM достаточно выполнить команду
и выбрать в диалоге необходимые модули аутентификации. Для более тонкой настройки можно заглянуть в файл /etc/pam.d/common-auth и отредактировать его по желанию. Структуру файла я описывал в предыдущей статье.

Заключение

Применение протокола Kerberos для централизованной аутентификации в связке с централизованным созданием хранением и раздачей учетных записей (например, посредством каталога на базе OpenLDAP) позволяет создать «домен UNIX», полностью состоящий из машин под управлением свободного программного обеспечения. Такое решение может применяться в корпоративном секторе, а аутентификация по смарт-картам будет приятным бонусом как для администраторов, так и для пользователей сети компании.

Источник

ОС OS X Lion: включение проверки подлинности по протоколу Kerberos в стороннем центре распространения ключей

В этой статье описывается, как настроить ОС OS X Lion для проверки подлинности в стороннем центре распространения ключей (KDC).

Следуя схеме на странице kbr5.conf(5), создайте файл /etc/krb5.conf, содержащий информацию о вашем сайте. Вот пример базового файла krb5.conf.
Следуя схеме на странице pam_krb5(8), отредактируйте строку /etc/pam.d/authorization, чтобы получить билет на предоставление билета (TGT) при входе в систему через окно входа. Например, при использовании учетных записей, которые не содержат действительный атрибут AuthenticationAuthority, в строку pam_krb5.so необходимо добавить значение default_principal.
Следуя схеме на странице pam_krb5(8), отредактируйте строку /etc/pam.d/screensaver для получения билета на предоставление билета (TGT) при проверке подлинности в меню «Заставка». Так же как и для строки /etc/pam.d/authorization, при использовании учетных записей, которые не содержат действительный атрибут AuthenticationAuthority, в строку pam_krb5.so необходимо добавить значение default_principal.
Выйдите из системы и войдите обратно под учетной записью пользователя, чье короткое имя соответствует имени основного пользователя в базе данных Kerberos для центра распространения ключей, указанного в файле /etc/krb5.conf. Теперь с помощью программы «Просмотр билетов» (располагается в каталоге /Система/Библиотеки/CoreServices) или команды klist в программе «Терминал» можно просмотреть полученный билет TGT.

Дополнительная информация

Примечание. Инструкции в этой статье не действуют, если в качестве центра распространения ключей используется ОС OS X Server или Active Directory.

Источник

Macintosh Development

[Home] [About Us] [People] [Information Systems]
[Kerberos for Macintosh] [Applications] [Miscellaneous Documentation]

Using the Kerberos Application on Mac OS X

This web page has instructions for the Kerberos application for Mac OS X.

These instructions reflect the Kerberos application on Mac OS X 10.3. While the Kerberos application is similar on previous OS X releases, not all features described below may be available or located in the same place.

MIT users should consult the Kerberos for Macintosh at MIT documentation, which reflects the currently supported version.

Table of contents

Opening the Kerberos application
Obtaining Kerberos tickets
- Specifying ticket lifetime when logging in
About the ticket list
Changing active users
Destroying tickets
Renewing tickets (i.e., extending your login duration)
Displaying ticket information
Changing your password
Dock icon features
Adding and removing realms
Changing preferences
Identifying the Version of Kerberos for Macintosh

If you’re not familiar with Kerberos authentication and terms such as Kerberos tickets, go to What Is Kerberos? to learn the concepts and terms.

Opening the Kerberos application

To open the Kerberos application:

If you have installed the Mac OS X Kerberos Extras, go to the Applications folder, open the Utilities folder, and open the Kerberos icon.

Otherwise, you will need to navigate to the /System/Library/CoreServices directory (use the Go To Folder. item in the Finder’s Go menu), and open the Kerberos icon from there. (You may want to run the Kerberos Extras or make your own alias in a more convenient location.)

Result: The Kerberos application window is displayed.

Obtaining Kerberos tickets

Result: The Kerberos Login dialog box appears:

The first time you use the Kerberos application to log in, the username box is blank. After that, by default the Kerberos Login dialog box displays the username of the person who last used it to log in.

Type your Kerberos username in the username box. (This is not necessarily the same as your Mac OS X username.)

If you want to log in using a principal that contains an instance (if you are unfamiliar with this term, don’t worry about it), enter a slash after your username and then type the instance, e.g. «username/instance». (This is the v5 style of specifying instances.)

Click once in the password box, or press the key, and type your password.

If you need to change realms, click once in the Realm field/popup list and choose the desired realm. If the desired realm is not present in the list, you can try typing it into the Realm field. This will only work if you have a Kerberos configuration file (edu.mit.Kerberos) that already includes the realm, or your site is set up for auto/DNS resolution of Kerberos realms. If neither of these are true, you should consult your system administrator for a proper Kerberos configuration file. You can see what realms are in the configuration file by using the Edit Favorite Realms feature of the Kerberos application.

Result: If authentication is successful, a ticket entry appears in the Kerberos application window:

The Active User box indicates your Kerberos username, the realm for which your Kerberos tickets are valid, and the time remaining for which they are valid. An entry also appears in the ticket list.

By default, Kerberos tickets are valid for 10 hours. You can shorten the duration for which tickets are valid at the time you log in. Refer to Specifying ticket lifetime when logging in for instructions on how to do this. You can also change the default ticket lifetime. Refer to Changing Preferences to find out how to do this.

If you get a Kerberos error, it may be for any of the following reasons:

You’ve entered either your Kerberos username or password incorrectly. Try again, making sure that the CAPS LOCK key is not turned on.
You may not have authorization to log into the realm specified. If you’re authorized to log into a different realm, refer to Adding and removing realms to make another realm available, and then choose it from the realms popup list when logging in.
The realm you specified does not have an entry in your configuration file and/or your site does not have auto/DNS configuration for that realm. Contact your site administrator.
There is a problem with your authorization for the realm you’re using. Contact your site administrator.

To see details about your tickets, click once on the triangle next to the username in the ticket list. See About the ticket list for more information.

The Kerberos application allows more than one Kerberos user to log into the same Macintosh (note this is not the same as having two Mac OS X users logged in at the same time). An additional person can log in by completing steps 1 — 4.

Each additional person who has logged in receives an entry in the ticket list:

The active Kerberos user, i.e., the username whose tickets are used for authentication when you start a new Kerberos-using application, appears in the Active User box. This username is also underlined in the ticket list.

To change active users, follow the procedure in the next section, Changing active users.

If you log out of Mac OS X, all tickets for all Kerberos users will be destroyed.

Once the duration of your tickets has ended, an «expired» message appears:

Specifying ticket lifetime when logging in

If you want to change the length of time that your tickets are valid upon logging in, you can do it through the Kerberos Login dialog box. To do this,

Result: The Kerberos Login dialog box appears.

Click once on the Show Options button.

Result: The Kerberos Login dialog expands, revealing the login options:

Place the mouse pointer on the Ticket Lifetime slider and drag it to the desired time indicated above the slider.

If you want, you can click on the Hide Options button to hide the login options, or you can just leave them always displayed (the Kerberos Login dialog will remember whether it was expanded or not the next time it’s displayed).

Enter your Kerberos username (if it’s not already displayed) and password, then click on OK .

Result: If your login is successful, you’ve obtained tickets that are valid for the lifetime you specified.

The next time you log in, the lifetime of the tickets you obtain will be the same as the time you specified during the previous login, unless you repeat this procedure or force a constant default lifetime (see Changing preferences for instructions on how to do this).

You can change other Kerberos Login options here. See Changing preferences for more information about each option.

About the ticket list

Below the Active User box and the Renew Tickets, Destroy Tickets, and Change Password buttons is the ticket list. The ticket list shows all the principals that are currently authenticated in the current Mac OS X user’s session.

Each principal has a set of Kerberos tickets belonging to it. When you log in with Kerberos, you get a ticket-granting ticket which then allows you to get other tickets from other applications (also called services). Then for each application you run that requires Kerberos authentication, you get a service ticket.

By default, the principals and their tickets appear as a summary line in the ticket list. The summary lines are in bold text. Each summary line has three elements:

The Kerberos versions supported by the realm the principal is authenticated in. This appears as «(v4/v5)», «(v4)», or «(v5)» before the principal. When you log in using Kerberos for Macintosh, it will attempt to get both Kerberos v4 and v5 tickets for your principal. However, not all Kerberos-using sites support both versions (v4 is becoming less common), or different realms at the same site may also support different versions, so you may see only one version listed.
The username of the authenticated principal.
The minimum remaining lifetime for the ticket-granting tickets belonging to the principal (displayed as hours:minutes). You receive one ticket-granting ticket for each Kerberos version the realm supports; these may have different expiration times (although Kerberos for Macintosh attempts to make them the same).

Instead of a time, you may see either «expired» or «not valid» in the Time Remaining column. «Expired» means that your tickets have no time remaining and so are no longer valid; «not valid» means they are no longer valid for some other reason, usually because your Mac’s IP address has changed since you obtained the tickets. In either case, you need to renew your tickets (although Kerberos for Macintosh will also prompt you automatically to renew if you try to use a service requiring Kerberos tickets).

If you want to see details of tickets associated with each principal, click on the triangle at the left of the principal’s summary line. The list will expand:

In the expanded list, you will see a list of the tickets (credentials) belonging to that principal. If the principal is authenticated for both versions of Kerberos, the tickets are grouped by version underneath a subheading for each version (see picture above).

If you always want the ticket list to display expanded entries, you can set the «Always expand new ticket list entries» preference. See the Changing preferences section.

You can display even more detailed information about each ticket using the Ticket Info window. See the Displaying ticket information section.

Changing active users

The current, active user specifies which Kerberos username will be used for authentication when you work with an application that requires Kerberos authentication. If more than one Kerberos user is logged in, you may want to change the active user before using such an application.

Use one of the following techniques to change the active user:

Click once on the boldfaced username line in the list that you want to be the active user, then click on the Make User Active button.
Double-click on the boldfaced username line in the Tickets list.
From the Tickets menu, choose Change Active User > username where username is the user you want to make active.
Control-click on the Kerberos application’s icon in the dock to display the Kerberos dock menu, and choose the username you want to make active from it.

Result: The new active user is displayed in the Active User box and also appears underlined in the ticket list.

Destroying tickets

To destroy tickets, select the boldfaced username line in the ticket list then click on the Destroy Tickets button, or choose Destroy Tickets from the Tickets menu.

Result: The ticket entry is removed from the ticket list. If other Kerberos users are logged in, their usernames remain in the ticket list and their tickets are valid for the remaining time indicated.

Renewing tickets

If your tickets have expired, or you want to extend the lifetime of existing tickets, you may want to renew your tickets.

As of Mac OS X 10.3, Kerberos for Macintosh supports the «renewable» property for tickets. If your site allows tickets to have this property, you can renew tickets up for a set amount of time without re-entering your password, as long as your current tickets are still valid (that is, haven’t expired). By default, Kerberos for Macintosh tries to get tickets with the «renewable» property; you can change this in the Kerberos Login dialog options or in the Kerberos application preferences.

In fact, by default, the Kerberos application will automatically attempt to renew your tickets if you leave it running (you can close the main window for convenience). Once half your ticket’s lifetime has expired, if it has the «renewable» property, the Kerberos application will automatically issue a renew request for it. It will keep doing this up until the renewable time limit. You can control this behavior by checking or unchecking the «Auto-renew renewable tickets» checkbox in the Kerberos application preferences.

You can see if a ticket is renewable, and for how long, by using the ticket information window. See Displaying ticket information below.

If your tickets are expired, or you choose not to use the auto-renew feature and want to renew your tickets before they expire, or your tickets do not support the «renewable» property, use the Renew Tickets command.

Result: The Renew Tickets button is activated.

Click on the Renew Tickets button, choose Renew Tickets from the Tickets menu, or press -R .

Result: Either your tickets are renewed to their full lifetime (if your ticket had the «renewable» property and were not expired), or the Kerberos Login dialog box is displayed (if your tickets didn’t have the «renewable» property or they were expired).

If the Kerberos dialog was displayed, enter your password.

If you want to change the lifetime of the tickets you’re obtaining, see Specifying ticket lifetime when logging in for instructions.

Result: The tickets’ lifetime is extended either to the lifetime you specified when logging in or to the maximum duration set under Preferences. (the default is 10 hours). To change the default tickets’ lifetime, see Changing Preferences. If you are very close to the maximum renewable lifetime, your tickets will only be good for the time remaining until the end of the renewable lifetime, which may be shorter than your requested lifetime.

Displaying ticket information

If you are interested in more information about your Kerberos tickets, the Kerberos application can display detailed information about each ticket by using the Get Ticket Info command. To display detailed ticket information:

Either double-click on the entry, or from the Tickets menu, choose Get Ticket Information, or press -I.

Result: The Ticket Info window appears:

At the top of the ticket info window is the principal who owns the ticket, the service that the ticket was obtained for, and the Kerberos version of the ticket. The rest of the information is divided into several panes for easier reading:

Times — The exact time the ticket was issued, the start and end time that the ticket is valid for, and when the ticket is renewable until (if applicable), all in local time. Also a status field to tell you if the ticket is valid, expired, or not valid for another reason.
Flags (for v5 tickets only) — The properties, such as forwardable and renewable, of the ticket.
IP Addresses — The IP addresses for which the ticket is valid. v5 tickets may be valid for multiple or no addresses, so you may see more than one or none listed, although typically you will only see none or one listed. v4 tickets can have no more and no less than one address, so you will only see one listed.
Encryption — For v5 tickets, lists both the session key and service principal key encryption types of the ticket. For v4 tickets, lists the string to key type of the ticket

When you are done looking at the ticket information, you can close the Ticket Info window using its close box.

You can have more than one ticket info window open at once.

Changing your password

You can change your Kerberos password by using the Change Password. command.

To change your password,

Result: The Change Password. button is activated:

Click on the Change Password. button or choose Change Password. from the Tickets menu.

Result: The Kerberos Change Password dialog box appears with the name of the user selected previously at the top:

Enter the password you’re using now in the «Enter your old password» box.

Click once in the «Enter your new password» box, or press the key, and type the new password.

Click once in the «Enter your new password again» box, or press the key, and type the new password a second time, exactly as you typed in the previous step.

Result: Either you will receive a confirmation that your password has been changed, if you entered either your old password incorrectly or the entries for the new password don’t match exactly, you’ll get an error. You may also receive an error from the Kerberos server if you try to choose an insecure password.

This password stays in effect until you change it again using either the Kerberos application or the equivalent procedure on another Kerberos client on another platform.

Dock icon features

The Kerberos application’s dock icon has several features to help you quickly determine the status of the active user’s tickets and to manage your Kerberos tickets.

Graphical ticket status & time remaining indicator

In the dock icon, the color of the key in the dock icon changes to indicate the status of the active user’s tickets. Below the key is a display of the time remaining in the active user’s tickets in the form hours:minutes (the time remaining display can be turned off in the Preferences dialog or in the Kerberos dock menu). The possible states are:

Gold key: The active user has valid tickets.

Red key: The active user’s tickets are near expiration (less than 5 minutes lifetime remain).

Black key: The active user’s tickets have expired, or no tickets are in the cache. Time remaining is shown as «—:—» .

Indented key: The Kerberos application is not running.

You can close the ticket list window without quitting the Kerberos application, so that you can still have the dock icon showing without cluttering your screen with a window you don’t always need open.

If you control-click (or click and hold down for a few seconds) on the Kerberos application’s dock icon while the application is running, the Kerberos dock menu will appear:

(If the only option you see in the Kerberos Dock Menu is «Show in Finder», the Kerberos application is not running.)

The Dock Menu items perform the following functions:

Kerberos — Brings the ticket list window to the front. (If the ticket list window is closed, this option will not be listed.) Other windows, such as any open ticket information windows, will also be listed and can be brought to the front by choosing them.

Display time remaining in icon — Turns on/off the display of time remaining of the active user’s tickets in the dock icon (default is on).

Get Tickets. — Displays the Kerberos Login dialog, allowing you to get tickets for a new user (or new tickets for an existing user).

Destroy Tickets — Destroys the active user’s tickets (the active user is indicated by a checkmark next to the user’s principal in the user list). If no users are authenticated, this option will be disabled.

Renew Tickets. — Renews the active user’s tickets (the active user is indicated by a checkmark next to the user’s principal in the user list). If the tickets do not have the renewable property, will display the Kerberos Login dialog, otherwise, renewal will happen automatically. If no users are authenticated, this option will be disabled.

Active users (variable text) — These are the principals of the currently authenticated users. The active user is marked with a checkmark. You can change the active user by choosing another principal from the menu.

Keep In Dock — Retains the Kerberos application icon in the dock, even when the application is not running, for easy access.

Show In Finder — Opens the folder containing the Kerberos application in the Finder.

Hide — Hides, but does not quit, the Kerberos application.

Quit — Quits the Kerberos application.

Adding and removing realms

A default Kerberos realm is specified by the edu.mit.Kerberos configuration file (as distributed from MIT, this realm is ATHENA.MIT.EDU). When using the Kerberos application to log in, by default the Kerberos username and password entered are checked for authorization in this area of the network. You can add other realms, as described in this section, and change which one Kerberos Login uses by default. (For instructions on how to change the default realm, see Changing Preferences.)

Other realms listed in the edu.mit.Kerberos configuration file can also be used for logging in, but must first be added to the list of «favorite» realms which are displayed in the Kerberos Login dialog. You can do this one of two ways.

First, you can type the realm you want directly into the Realm field/popup in the Kerberos Login dialog. This will only work if the realm is already in your Kerberos configuration file, or if your site is set up for auto/DNS resolution of Kerberos realms. If you are unsure if either of these are the case, or you try to add a realm this way and it doesn’t work, consult your site administrator.

Second, you can use the Edit Favorite Realms of the Kerberos application that provides the following options for making the other realms in the preferences available for use:

You can add one or multiple realms from the edu.mit.Kerberos preferences file to the Favorite Realms List.
If you want to keep the list of Favorite realms to the minimum that you need, you can remove realms from the Favorite Realms List.
You can type in the name of a realm to be used directly. This should only be used for auto configuration/DNS realms; typing in the name of a realm that is not in the configuration file and does not have a auto/DNS configuration at your site will not work, as simply giving the name of a realm does not provide all the necessary information for that realm to be used by Kerberos for Macintosh. If you do not see a realm you want here and are unsure if there is a auto/DNS configuration for it, consult your site administrator.

For information on adding new realm information to the Kerberos preferences file, see the Kerberos Preferences on Mac OS X Documentation. Kerberos for Macintosh does not provide a GUI way to add this information. Generally you should not have to do this, consult with your site administrator first!

To add and remove realms,

Result: The Edit Favorite Realms dialog box appears:

Do any of the following:

Result: The selected realm is moved to the Favorite Realms list:

Click on Add All to add all of the realms from the All Available Realms list to the Favorite Realms list.

Result: The remaining realms in the All Available Realms list are moved to the Favorite Realms list:

Click once on the realm that you want to remove in the Favorite Realms dialog box, then, click on Remove to remove the selected realm from the Favorite Realms list.

Result: The selected realm is removed from the Favorite Realms list:

NOTE: At least one realm is required in the Favorite Realms list.

Type the name of a realm with auto/DNS configuration into the «Add realm that has auto configuration» field, and click on the Add button to the right of that field.

You can also rearrange the order of realms in the list by dragging them around in the Favorite Realms list.

When you have finished adding and/or removing realms, click on Done .

Result: If you’ve added one or more realms, they are now available from the Kerberos Login dialog box. If you’ve removed any realms, they are no longer available for use unless you add them again later on.

To find out how to change the default realm, refer to Changing preferences.

Changing preferences

You can make certain customizations to the Kerberos application by using the Preferences. command. These customizations also affect the Kerberos Login dialog anytime another application brings it up.

Result: The Preferences dialog box appears (see illustrations below).
The Kerberos preferences are divided into several groups, with a tab for each group. Click on the tab for the preferences you want to modify:

Ticket Defaults — preferences that control the default ticket options for the Kerberos Login dialog
Username Defaults — preferences that control the default username and realm options for the Kerberos Login dialog
Time Ranges — preferences that control the minimum, maximum, and default settings of the ticket lifetime and renewable lifetime sliders in the Kerberos Login dialog
Behavior — preferences that control the way the Kerberos application displays information and other behaviors

Make changes to any of the following:

Источник

Читайте также: Bmw e46 apple carplay

Com apple kerberos kdc

Question: Q: com.apple.kerberos.kdc certificate

Helpful answers

Настройка Kerberos-аутентификации с использованием смарт-карт

Краткое введение

Терминология Kerberos

Файлы настроек Kerberos

На сервере:

На клиенте и сервере:

Настройка рабочего окружения

Настройка сети

Установка необходимых пакетов

На сервере нам потребуются:

На клиент надо поставить следующие пакеты:

Настройка Kerberos

Базовые настройки

Настройка аутентификации по открытому ключу

На сервере:

Дальнейшие действия будем выполнять на клиенте

Настройка PAM-аутентификации с использованием Kerberos

Заключение

ОС OS X Lion: включение проверки подлинности по протоколу Kerberos в стороннем центре распространения ключей

Дополнительная информация

Macintosh Development

Specifying ticket lifetime when logging in

Graphical ticket status & time remaining indicator

Kerberos Dock Menu