Kerberos

Implementation
OpenBSD doesn't use MIT Kerberos. It uses Heimdal instead.

Setup
Heimdal comes with OpenBSD. Just edit /etc/krb5.conf. (This file may be in /etc/heimdal/krb5.conf).

Sample krb5.conf (for a realm called OPENBSD.RULES)
[libdefaults] default_realm = OPENBSD.RULES [realms] OPENBSD.RULES = { kdc = my.master my.slave }    [domain_realm] .my.domain = OPENBSD.RULES

Setting up "Realms"
Do these commands: (replace OPENBSD.RULES and MonkeyJones (note: empty fields are where you press Enter)) kadmin> init OPENBSD.RULES Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin> add me Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: Password: MonkeyJones Verifying password - Password: MonkeyJones kadmin> exit
 * 1) mkdir /var/heimdal
 * 2) kstash –-random-key
 * 3) kadmin -l
 * 1) kdc &

Masters and Slaves
You think about slavery, right? But in Kerberos, master means "main Kerberos server" and slave means "last-resort Kerberos server".

Setting up Slaves
Install OpenBSD on a another computer (aka slave). Now do these commands on the slave: Edit /etc/rc.conf and change: krb5_slave_kdc=NO to krb5_slave_kdc=YES and then modify /etc/inetd.conf to have in it: slave stream tcp nowait root /usr/libexec/hpropd hpropd slave stream tcp6 nowait root /usr/libexec/hpropd hpropd
 * 1) ktutil get -p foo/admin hprop/`hostname`
 * 2) mkdir /var/heimdal
 * 3) hpropd &

Setting up Masters
Edit /etc/rc.conf and change: krb5_master_kdc=NO to krb5_master_kdc=YES

Sending Master Data to Slaves
On the master, run: hprop assuming you have Kerberos slaves working.