Contents |
FreeBSD 5.2.x ships with Heimdal Kerberos in base. The following document describes how to set up Kerberos V with the least amount of steps.
It will will be nice to have a distrbuted network which uses Kerberos for authentication and LDAP for name service lookups. Time permitting, I would like to implement support for managing Heimdal Kerberos accounts via my EzLDAP scripts available to http://shankerbalan.com/ezldap.php. There is some rudimentary support (nasty hacks) for it in the source right now.
RedHat ships with a nice GNOME/Gtk GUI for kinit. Can't find it in ports though.
See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html
#
# /etc/krb5.conf
#
[libdefaults]
default_realm = MYDOMAIN
[realms]
MYDOMAIN = {
kdc = godzilla.mydomain.com
}
[domain_realm]
.mydomain.com = MYDOMAIN
root# kstash Master key: password1234 Verifying password - Master key: password1234
root# kadmin -l kadmin> init EXCORE Realm max ticket life [unlimited]: kadmin> add shanu Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: Password: secret1234 Verifying password - Password: secret1234
# # /etc/rc.conf # kerberos5_server_enable="YES" # Run a kerberos 5 master server (or NO). kadmind5_server_enable="YES" # Run kadmind (or NO) kpasswdd_server_enable="YES" # Run kpasswdd (or NO)
root# /etc/rc.d/kerberos start root# /etc/rc.d/kadmind start root# /etc/rc.d/kpasswdd start root# tail -f /var/heimdal/kdc.log
As user "shanu":
[godzilla] ~> klist
klist: No ticket file: /tmp/krb5cc_1004
[godzilla] ~> kinit
shanu@MYDOMAIN's Password: secret1234
[godzilla] ~> klist
Credentials cache: FILE:/tmp/krb5cc_1004
Principal: shanu@MYDOMAIN
Issued Expires Principal
Mar 12 11:38:51 Mar 12 21:38:51 krbtgt/MYDOMAIN@MYDOMAIN
<pre>
And in "kdc.log":
<pre>
2004-03-12T11:38:51 AS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for krbtgt/MYDOMAIN@MYDOMAIN
root# kadmin kadmin> add --random-key host/godzilla.mydomain.com Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: kadmin> ext host/godzilla.mydomain.com
root# cd /etc/pam.d/
Uncomment the following lines in each pam.d service file to enable Kerberos authentication via the pam_krb.so module.
# auth auth sufficient pam_krb5.so no_warn try_first_pass # account account required pam_krb5.so
# # /etc/inetd.conf # telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a user telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd -a user
root# /etc/rc.d/inetd restart
See http://marc.theaimsgroup.com/?l=freebsd-current&m=107905791510665&w=2
"3.7.1 and 3.8 use different, incompatible GSSAPI mechanisms. You need to run the same version in both ends."
[godzilla] /etc/pam.d> ssh -V OpenSSH_3.8p1 FreeBSD-20040226, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003
# Kerberos options KerberosAuthentication yes #KerberosOrLocalPasswd yes #KerberosTicketCleanup no #KerberosGetAFSToken no # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes
GSSAPIAuthentication yes GSSAPIDelegateCredentials yes
[godzilla] ~> ssh -v godzilla OpenSSH_3.8p1 FreeBSD-20040226, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 [..] debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). [..] [godzilla] ~>
root# tail -f /var/heimdal/kdc.log 2004-03-12T11:46:57 TGS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for host/godzilla.mydomain.com@MYDOMAIN 2004-03-12T11:46:57 TGS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for krbtgt/MYDOMAIN@MYDOMAIN [forwarded, forwardable]
Recompile cyrus-sasl2 with "MAKE_KERBEROS5=yes"
# Enable SMTP auth smtpd_sasl_auth_enable = yes
[godzilla] ~> telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 godzilla.mydomain.com ESMTP Postfix ehlo there 250-godzilla.mydomain.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 250-XVERP 250 8BITMIME quit 221 Bye Connection closed by foreign host. [godzilla] ~>
I have not tested whether this works. I am not aware of a mail client which does GSSAPI right now.
OpenLDAP if compiled with cyrus-sasl (which inturn has been compiled with Kerberos support) will accept GSSAPI logins now.
[godzilla] ~# kadmin -l kadmin> add -r ldap/godzilla.mydomain.com@MYDOMAIN kadmin>ext ldap/godzilla.mydomain.com kadmin> exit <pre> <pre> [godzilla] ~# chgrp ldap /etc/krb5.keytab [godzilla] ~# chmod g+r /etc/krb5.keytab [godzilla] ~# chgrp ldap /usr/local/etc/sasldb2 [godzilla] ~# ls -l /usr/local/etc/sasldb2 -rw-r----- 1 cyrus ldap 24576 Mar 12 10:59 /usr/local/etc/sasldb2 [godzilla] ~# ls -l /etc/krb5.keytab -rw-r----- 1 root ldap 578 Mar 12 14:05 /etc/krb5.keytab
[godzilla] > ldapsearch -h localhost -I -b "" -s base -LLL supportedSASLMechanisms SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: SASL username: shanu@MYDOMAIN SASL SSF: 56 SASL installing layers dn: supportedSASLMechanisms: NTLM supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5
root# tail -f /var/heimdal/kdc.log 2004-03-12T14:06:25 AS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for krbtgt/MYDOMAIN@MYDOMAIN 2004-03-12T14:06:28 TGS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for ldap/godzilla.mydomain.com@MYDOMAIN
sasl-realm MYDOMAIN
sasl-host godzilla.mydomain.com
sasl-regexp
uid=(.*),cn=MYDOMAIN,cn=gssapi,cn=auth
ldap:///dc=mydomain,dc=com??sub?(uid=$1)
# ACLs
# Allows users access to their passwords
access to attribute=userPassword,sambaLMPassword,sambaNTPassword
by dn="cn=manager,dc=mydomain,dc=com" write
by anonymous auth
by self write
by * none
root# /etc/rc.d/slapd restart
[godzilla] ~> kdestroy [godzilla] ~> kinit shanu@MYDOMAIN's Password: secret1234 [godzilla] > ldapwhoami SASL/GSSAPI authentication started SASL username: shanu@MYDOMAIN SASL SSF: 56 SASL installing layers dn:uid=shanu,ou=people,dc=mydomain,dc=com
[godzilla] ~> ldapsearch -h localhost -I -b"dc=mydomain,dc=com" uid=shanu userPassword SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: <Hit enter> SASL username: shanu@MYDOMAIN SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base <dc=mydomain,dc=com> with scope sub # filter: uid=shanu # requesting: userPassword # # shanu, people, mydomain.com dn: uid=shanu,ou=people,dc=mydomain,dc=com userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= # search result search: 5 result: 0 Success # numResponses: 2
[godzilla] ~> kdestroy
[godzilla] ~> ldapsearch -h localhost -I -b"dc=mydomain,dc=com" uid=shanu userPassword
SASL/GSSAPI authentication started
SASL Interaction
Please enter your authorization name: <Hit Enter>
ldap_sasl_interactive_bind_s: Local error (82)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (see text) (open(/tmp/krb5cc_1004):
No such file or directory)
TaDa!
See: More work on Kerberos/LDAP/Samba intergration http://marc.theaimsgroup.com/?l=samba-technical&m=107797135318875&w=2
FreeBSD Handbook: 10.7 Kerberos5 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html
What is Heimdal? http://www.pdc.kth.se/heimdal/heimdal.html
FreeBSD Security Mailing Lists http://marc.theaimsgroup.com/?l=freebsd-security