User Kerberos Tutorial

From ClueWiki

Jump to: navigation, search

Cluenet is moving to an authentication system based on Heimdal Kerberos. Normal password entry when you log in to servers should still work, but Kerberos provides many more features that you can take advantage of. This is a small tutorial geared toward users setting up the Kerberos utilities on their home machines to interface with Cluenet.

Kerberos works using a scheme of tickets. A Kerberos ticket is analogous to a ticket for a performance. At a performance, you can present your ticket at the gate, and with it, you gain entry to the performance. With Kerberos, you can send your ticket to the server, and the server will authenticate you. Continuing with the performance analogy, you get the ticket from the box office, and the ticket probably has an expiration date. With Kerberos, the "box office" is called the KDC. Just like with a performance, a ticket from Kerberos is only valid for one server and service. A ticket for SSH on one server will not authenticate to SSH on another server; you have to get another ticket from the KDC.

There is a special kind of ticket called the TGT, or ticket granting ticket. To get this ticket, you have to enter your password, and the KDC will send you a TGT. After you have the TGT, it can be sent to the KDC to get other tickets, usually automatically. Note that the TGT, along with all other tickets, expire after a certain amount of time, usually around 10 hours. Then you have to enter your password again to get another ticket.

In Kerberos, a username and password combination is called a principal. (This is actually a simplification, but it works.) A Kerberos principal is analogous to an account. Principals should end in a realm. In Cluenet's case, the realm is CLUENET.ORG. So, the principal for a user called tommy would be tommy@CLUENET.ORG . The @CLUENET.ORG part is usually optional if CLUENET.ORG is the default realm.

There are several different utilities that are used with Kerberos to do various things. You should also install some various Kerberos libraries. To install them on Debian, type: 

apt-get install heimdal-clients heimdal-kcm libgssapi4-heimdal libsasl2-modules-gssapi-heimdal

It's a good time to point out that there are several different implementations of Kerberos. The most common two implementations are Heimdal and MIT. Cluenet uses the Heimdal version, and you should too. If you use the MIT version or another version, so things might work, but other things will break. Some distributions (like Fedora Core) only have MIT Kerberos packages in their repositories. If this is the case, either compile Heimdal yourself (it's not hard) or use a better distribution.

Once you install the Kerberos clients, you will need to configure Kerberos. The Kerberos configuration is in /etc/krb5.conf . Cluenet provides a central up-to-date Kerberos configuration file, along with a script to automatically download and install it. The script is at the URL [1] and it needs to be run as root. To automatically download and run the script, do this command as root: 

wget -O - http://noc.cluenet.org/distconf/heimdal/krb5.conf.sh | bash

Then verify that /etc/krb5.conf exists and looks like it's properly configured.

There are several Kerberos utilities that you should know about. First of all, the "kinit" utility gets a ticket. By default, it gets the TGT. When you run it, it will ask you to enter your Kerberos password. If the username that you're running kinit on differs from your Kerberos principal name, you will have to supply the principal name as an argument to kinit.

The "klist" utility is simple. It just lists all of the tickets you currently have.

The "kdestroy" utility is also simple. It deletes all to the tickets you currently have.

There are a few other utilities, like "kpasswd" and "kadmin". The "kpasswd" utility changes your Kerberos password. The "kadmin" utility is only used by administrators and is used for various things.

Install the Heimdal Kerberos utilities and try them out. Make sure you can use kinit and such. After that, you may want to configure some applications to use Kerberos. Some, like LDAP, will usually use Kerberos automatically if the proper tickets exist. SSH also support Kerberos, but might need a little configuration first.

To configure SSH to use Kerberos, all you should have to do is add a few lines to the SSH client config file. On Debian, there's a pseudo-package that can add these entires for you: 

apt-get install ssh-krb5

All that this package does is add a few lines to /etc/ssh/ssh_config and /etc/ssh/sshd_config. After installing this package (or, on other distributions, it doesn't matter), verify the following lines in /etc/ssh/ssh_config : 

GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes

The second line is optional, but causes your tickets to be automatically forwarded to the remote host so you don't have to enter your password again for more tickets. After SSH is configured to use Kerberos, it should be able to log in to Kerberos-enabled servers without entering a password and without public-private keys. All you should have to do is get the TGT with kinit and run ssh.

Note that, at present, most Cluenet servers do not have Kerberos enabled on them, but this will soon change.

Retrieved from "http://www.cluenet.org/wiki/index.php/User_Kerberos_Tutorial"
Personal tools
General Information