mir/kea
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/kea synced 2025-08-23 02:17:33 +00:00
Code Issues Releases Wiki Activity
kea/doc/sphinx/arm/ext-gss-tsig.rst

112 lines
3.2 KiB
ReStructuredText
Raw Normal View History

[#2018] Ported install doc
2021-08-18 09:27:12 +02:00
.. _gss-tsig:
****************
GSS-TSIG Support
****************
.. _gss-tsig-overview:
GSS-TSIG Overview
=================
Kea provides in a premium hook the support of GSS-TSIG to protect DNS
updates sent by the Kea DHCP-DDNS (aka D2) server.
GSS-TSIG uses a GSS-API for Kerberos 5 with SPENO library such as
the MIT Kerberos 5 or the Heimdal libraries.
.. note:
This is a work in progress.
.. _gss-tsig-install:
Installing GSS-TSIG
===================
This is a page explaining how to install Kea with GSS-TSIG support.
This procedure was tested on Ubuntu 20.10 and 21.04:
1. Get the kea sources, this will do the trick extracting to ``kea/``
directory:
.. code-block:: console
$ git clone https://gitlab.isc.org/isc-projects/kea.git
2. Get the premium sources - go to
https://gitlab.isc.org/isc-external/kea-gss-tsig and click download
or clone from there, using either https or git. Using git requires
setting up SSH keys which you can do on your own in your
`gitlab preferences <https://gitlab.isc.org/-/profile/keys>`__.
Extract to ``kea/premium/`` directory.
3. Run autoreconf:
.. code-block:: console
autoreconf -i
4. Make sure ``./configure --help`` shows the ``--with-gssapi`` option.
5. Install either MIT (``libkrb5-dev``) or Heimdal (``heimdal-dev``) library,
for instance:
.. code-block:: console
sudo apt install libkrb5-dev
6. Run configure with the ``--with-gssapi`` option:
.. code-block:: console
./configure --with-gssapi
.. note:
It is ``--with-gssapi`` (without dash between gss and api) to keep
consistency with BIND 9 option.
The ``--with-gssapi`` requires ``krb5-config`` tool to be present. This
tool is provided by both MIT Kerberos 5 and Heimdal, on some systems
where both Kerberos 5 and Heimdal are installed it is a symbolic link
to one of them. If it's not in your standard location, you may specify
it with ``--with-gssapi=/path/to/krb5-config``. Since this is an early
prototype, it is strongly recommended to use default installation
locations as provided by packages.
The ``./configure`` script should complete with a successful GSS-API
detection, similar to this:
::
GSS-API support:
GSSAPI_CFLAGS: -isystem /usr/include/mit-krb5
GSSAPI_LIBS: -L/usr/lib/x86_64-linux-gnu/mit-krb5 -Wl,-Bsymbolic-functions -Wl,-z,relro -lgssapi_krb5 -lkrb5 -lk5crypto -lcom_err
7. Compile as usual ``make -jX`` where X is the number of CPU cores
available.
8. After compilation, the gss_tsig hook is available in the
``premium/src/hooks/d2/gss_tsig`` directory.
It can be loaded by the D2.
The gss_tsig was developed using the MIT Kerberos 5 implementation but
Heimdal is supported too. Note that Heimdal is picky about security
sensitive file permissions but emits an unclear error message. Anyway
it is a good idea to keep these files as plain, with one link and and
no access for the group or other users.
The krb5-config script should provide an ``--all`` option which
identifies the implementation: in any report about the GSS-TSIG report
please add the result of the ``--all`` option of the krb5-config used
to configure Kea.
.. _gss-tsig-using:
Using GSS-TSIG
==============
To be done.
Reference in New Issue Copy Permalink