Authenticating on the network

Authenticating on the network


Usually, I get annoyed at having to authenticate myself to each and every service I set up; after all, my passwords are the same everywhere, since I make sure of that myself. On Windows, I wouldn’t have to do that; once I log in, Windows is able to communicate credentials to each and every service that asks for them. But something similar is impossible on GNU/Linux, right? Wrong.

Single sign-on

In fact this communicating of credentials, known as “”"single sign-on"“”, has been possible on UNIX and UNIX-like operating systems longer than it has been possible on Windows. The authentication protocol that’s been in use for Windows ever since Windows 2000—Kerberos—was designed and first implemented for UNIX. In the 1980’s. By now, there are three UNIX-implementations of this protocol: the original MIT reference implementation, a second implementation called “”"Heimdal"“”, and the latest one from GNU called “”"Shishi"“”. With Kerberos, it’s possible to authenticate to SSH, HTTP, IMAP, LDAP, NFS, and a whole bunch of other servers—without unnecessarily entering your password.

So why doesn’t every GNU/Linux distribution out there support Kerberos or single sign-on out of the box? Well, that’s a good question. For one thing, they actually do ; all the necessary support packages for at least one of the three implementations is available in all the major distributions; and more and more protocols get support for Kerberos authentication, even today. It’s just that Kerberos has a bit of a reputation of being quite hard to understand, and rather hard to implement or deploy. This reputation isn’t entirely undeserved; but as you’ll see, it’s not all that hard, either.

No sprouts for me, mommy!

The main problem with Kerberos is that it’s quite picky about the setup of your network and its systems; you have to get the time of all your systems right, or it will refuse to authenticate. Doing lookup of names on your network has to work; your reverse lookups (converting an IP address to the name with which you refer to it) must turn up a name that resolves to the same IP address you were looking up in the first place. But once you’ve got that right, it all works pretty good. And you’ll have a proper network in most other senses of that word, anyway. Isn’t that nice?

Once you’ve set up your network so that Kerberos likes it, it’s a proper network in most senses of the word, anyway

So how does it all work? It’s important to remember that in any Kerberos authentication dialogue, there are three parties: the Kerberos server, the client requesting a service, and the server requesting proof of identity. They all need to have credentials—principals, in Kerberos-terminology—stored in the Kerberos database. Enabling Kerberos authentication in any service usually boils down to four steps:

  1. Creating a Kerberos principal
  2. Storing the Kerberos principal on the server system so that it can access it
  3. Modifying the server’s configuration so that it accepts Kerberos-based authentication
  4. Configuring the client so that it tries Kerberos authentication

In most cases, that’s it. Usually you’ll be able to configure client-software on a system-wide basis; and in most (if not all) cases falling back to regular password-based authentication is possible, too. The hardest part in setting up Kerberos authentication is, usually, to set up the initial Kerberos realm on the Kerberos server. But that, you have to do only once. Let’s do that now, shall we?

Getting your hands dirty

What follows is a pretty hands-on explanation of how to set up a Kerberos realm. We don’t explain everything; but if you want it all working now, the Kerberos distribution comes with pretty good documentation (see below). The example works on Debian; it should also work on other distributions, but you may have to change some of the details.

To make sure Kerberos likes your network, it’s a good idea to install ntpd which will fix the timing issues. As for the name resolving issues, try ping localhost ; if that returns things like

 64 bytes from host.example.com (127.0.0.1): icmp_seq=1...

while running hostname --fqdn returns host.example.com, you’re all set. If not, fiddle with /etc/hosts until it does. You should also try to ping your hosts from different machines, and the result should be similar.

With that out of the way, you should now install the server-side Kerberos software on the machine that will serve as the Kerberos server. With that done, run kdb5_util create -s, which will ask you a few questions and then create your Kerberos realm. Next you should create an ACL file for the kdc, which will tell the latter who can create and/or manage Kerberos principals. An easy (and yet safe enough for most cases) ACL file would look like this:

 */admin *

You will need to store that file as /etc/krb5kdc/kadm5.acl. Now it’s time to start the kdc ( /usr/sbin/krb5kdc ) and the admin server ( /usr/sbin/kadmind ). Next, run /usr/sbin/kadmin.local to create the initial principals:

# kadmin.local
> addprinc root/admin@REALM
[...]
> addprinc wouter@REALM
[...]
> quit
#

Both will ask you to enter a password; it’ll be easiest for you to remember if you just use your own password for that. Obviously, you should also replace REALM by the realm name you’ve created.

By now, you have a fully operational Kerberos realm. You can play a bit with kinit, klist and kdestroy (read their manpages). Next will be to set up the different servers so that they support Kerberos authentication, followed by the clients; and to finish it all properly, we should also configure PAM to authenticate against the Kerberos server rather than /etc/passwd.

But that’s for another time.

More information

If you want to find out more about Kerberos, you should go to the Kerberos website at MIT. Additionally, the MIT Kerberos source ships with good documentation for the unpatient on how to set up Kerberos-enabled servers. Try running info krb5-install to get a taste of the goods.

Category: 
Hacking
Tagging: 
kerberos
authentication
howto

Comments

Anonymous visitor's picture
Submitted by Anonymous visitor (not verified) on

Thanks for article.

Author information

Wouter Verhelst's picture

Biography

Wouter is an independent contractor specializing on Free Software. In his free time, he contributes to the Debian Project as a Debian Developer.

Most forwarded

Interview with Dave Mohyla, of DTIDATA

Dave Mohyla is the president and founder of dtidata.com, a hard drive recovery facility based in Tampa, Florida.

TM: Where are you based? What does your company do?
DTI Data recovery is based in South Pasadena, Florida which is a suburb of Tampa. We have been here for over 10 years. We operate a bio-metrically secured class 100 clean room where we perform hard drive recovery on all types of hard disks, from laptop hard drives to multi drive RAID systems.

Anybody up to writing good directory software?

Since the very beginning, directories (of any kind) have had a very central role in the internet. (I have recently grown fond of Free Web Directory. Even Slashdot can be considered a directory: a collection of great news and invaluable user-generated comments. As far as software is concerned, doing a quick search on Google about software directories will return the free (as in freedom) software directories like Savannah, SourceForge, Freshmeat and so on, followed by shareware and freeware sites such as FileBuzz, PCWin Download Center and All Freeware (great if you're looking for shareware and freeware, but definitely less comprehensive than their free-as-in-freedom counterparts).

Interview with Mark Shuttleworth

Mark Shuttleworth is the founder of Thawte, the first Certification Authority to sell public SSL certificates. After selling Thawte to Verisign, Mark moved on to training as an astronaut in Russia and visiting space. Once he got back he founded Ubuntu, the leading GNU/Linux distribution. He agreed on releasing a quick interview to Free Software Magazine.

Is better education the key to finding better software?

I read David Jonathon's article Anybody Up To Writing Good Directory Software? the other day, which got me thinking about software directories in general. As David mentioned, many of the software directories one finds when doing a quick google search are free as in beer, not as in freedom. But what interests me is the software directories that already exist, providing a combination of both free as in beer software, and open source software. Sites such as Freeware Downloads and Shareware Download don't advertise themselves as providing free as in liberty software, but each of them have a good selection of open source software available... if you know where to look.

Most emailed

Free Open Document label templates

If you’ve ever spent hours at work doing mailings, cursed your printer for printing outside the lines on your labels, or moaned “There has got to be a better way to do this,” here’s the solution you’ve been looking for. Working smarter, not harder! Worldlabel.com, a manufacture of labels offers Open Office / Libre Office labels templates for downloading in ODF format which will save you time, effort, and (if you want) make really cool-looking labels

Creating a user-centric site in Drupal

A little while ago, while talking in the #drupal mailing list, I showed my latest creation to one of the core developers there. His reaction was "Wow, I am always surprised what people use Drupal for". His surprise is somehow justified: I did create a site for a bunch of entertainers in Perth, a company set to use Drupal to take over the world with Entertainers.Biz.

Update: since writing this article, I have updated the system so that the whole booking process happens online. I will update the article accordingly!

So, why, why do people and companies develop free software?

More and more people are discovering free software. Many people only do so after weeks, or even months, of using it. I wonder, for example, how many Firefox users actually know how free Firefox really is—many of them realise that you can get it for free, but find it hard to believe that anybody can modify it and even redistribute it legally.

When the discovery is made, the first instinct is to ask: why do they do it? Programming is hard work. Even though most (if not all) programmers are driven by their higher-than-normal IQs and their amazing passion for solving problems, it’s still hard to understand why so many of them would donate so much of their time to creating something that they can’t really show off to anybody but their colleagues or geek friends.

Sure, anybody can buy laptops, and just program. No need to get a full-on lab or spend thousands of dollars in equipment. But... is that the full story?

Fun articles

Santa Claus - the most successful open source project

It dawned on me the other day, as I was shopping for the dozens of gifts it seems I have to buy every December, that Santa Claus is the most successful open source project in history. (Bridget @ Illiterarty would agree with that). Santa Claus is essentially a marketing development that is embodied by everyone who stuffs a sock, gives a gift, hosts a dinner or wishes Merry Christmas over the holiday season.

Most emailed

Editorial

When I first started thinking about Free Software Magazine, I was feeling enthusiastic about the dream. I had Dave, Gianluca, and Alan willing to help me, I had established members of the free software community willing to help me out, I had writers volunteering their time and energy for free, and I had a generous offer from OpenHosting for servers, all before I'd proved myself. There was a sense of excitement in the air, and I thought maybe, just maybe, I could make this work.

Free Software Magazine uses Apollo project management software and CRM for its everyday activities!