Kerberos, final bits

Kerberos, final bits


Two weeks ago, I explained how to set up a Kerberos realm; and last week, I went on to describe how to actually do something useful with it by doing Kerberized NFS. But there’s so much more interesting stuff that can be done with Kerberos, and it would be a shame to ignore those.

GSSAPI, SASL, and negotiation

Before I can go ahead and detail everything Kerberos, it’s important for you to understand a few things. A server that requires authentication cannot just blindly assume that any client it will talk to will be able to do Kerberos authentication. Similarly, a client cannot assume that any server will understand its Kerberos babble, even if it thinks the server has a principal. As a result, there must be some level of negotiation between the server and the client. If both understand and want to talk Kerberos, then there can be Kerberos authentication. If they don’t, well, then there can’t be any Kerberos authentication.

However, this is outside the scope of the Kerberos protocol, which only deals with handing out tickets. How the client and the server negotiate usage of Kerberos, and how Kerberos tickets will then get communicated from the client to the server and vice versa, is up to them. Once the KDC, or Kerberos Distribution Center, has decided that a given node can have an authentication ticket, it considers its job done.

Obviously every protocol that supports Kerberos authentication has some sort of standard for negotiating the use of Kerberos. Negotiation can be done with a protocol-specific negotiation mechanism, such as with HTTP or IMAP, or it can be done by using SASL, the Simple Authentication and Security Layer, as is done for LDAP.

Additionally, once negotiation is done and client and server agreed on using Kerberos authentication, the client needs to receive a ticket from the KDC and present that to the server. To do so, Kerberos v4 defined how a ticket should be encoded and wrapped inside another protocol as part of the standard; for Kerberos v5, this method has been generalized into the GSSAPI, which can not only distribute Kerberos tickets, but also authentication tokens for other authentication mechanisms, such as SPKM-3 ("Simple Public-Key Mechanism"). In GSSAPI, the careful reader will recognize the "gss" part of the gss/krb5 security method you need to enter in /etc/exports for NFS to use Kerberos, as detailed last week.

Getting our hands dirty

With that knowledge, you can go ahead and set up Kerberos as part of several protocols. The first protocol to look at is SSH. Even though it’s possible to use SSH keys if you want to avoid having to enter a passphrase every time you log in, this will get a bit messy once you arrive at a level where you’ve got more than a handful of machines to take care of.

Recalling from last time, these are the steps needed to be taken when enabling Kerberos in a communication:

  1. Create the service principal, and store it in the keytab
  2. Configure the server so that it allows for Kerberos authentication
  3. Configure the client so that it does the same.

PAM and SSH

Kerberos generalizes everything that will get you a shell into one service principal. So whether you use PAM, Kerberized Telnet, or Kerberized SSH for authentication, the service principal is always host/<fqdn>@REALM. For rock.grep.be in the GREP.BE realm, this will become host/rock.grep.be@GREP.BE. Creating a service principal and storing it in the keytab is done with kadmin, as detailed in last week’s article. PAM is a bit of a special case here; rather than using a kerberos ticket to authenticate you, you enter a password and it requests a ticket. If you don’t use PAM, you need to use kinit and kdestroy to manage your tickets.

In OpenSSH, enabling Kerberos authentication is done by adding GSSAPIAuthentication yes and KerberosAuthentication yes to /etc/ssh/sshd_config. For PAM, there is the pam_krb5.so module. It’s usually best to avoid Kerberos authentication when trying to log on as root; otherwise you will not be able to log on to your system at all once the network goes down; you won’t even be able to fix it anymore. So, to enable the module, add the following lines to the relevant PAM configuration files (in /etc/pam.d ):

account  sufficient pam_krb5.so ignore_root
auth     sufficient pam_krb5.so ignore_root
password required   pam_krb5.so ignore_root
session  optional   pam_krb5.so ignore_root

Yes, that’s sufficient for account and auth, required for password, and optional for session. Be sure to stack them in front of anything else, i.e., near the top of the file.

For the OpenSSH client side, you add GSSAPIAuthentication yes to the Host * stanza of either /etc/ssh/ssh_config, or ~/.ssh/config. It is also possible to limit this to hosts in a particular domain by using something like Host *.grep.be, but then you have to use ssh rock.grep.be rather than ssh rock, which is rather cumbersome.

PAM, which has no client side, obviously doesn’t need to be configured on the client side.

HTTP

If your server does not run as root, then you must not store the key in the system-wide default keytab

The service principal for HTTP is HTTP/<host>@REALM; for the same machine rock.grep.be, this is HTTP/rock.grep.be@GREP.BE.

If, like me, you don’t run your webserver as root, then you must not store the key in /etc/krb5.keytab, which is kadmin ’s builtin default. Instead, you must then create a different file. I use /etc/apache2/keytab:

kadmin: xst -k /etc/apache2/keytab HTTP/rock.grep.be@GREP.BE
kadmin: exit
# chown www-data:www-data /etc/apache2/keytab

Apache doesn’t have builtin support for Kerberos authentication. However, with use of the module mod_auth_kerb, available from its sourceforge website, one can make it support Kerberos. Compile it, load it, and add the following to a Directory configuration block that you want to have Kerberos authentication for:

AuthType Kerberos
KrbMethodNegotiate On
KrbMethodK5Passwd Off
Require valid-user
Krb5Keytab /etc/apache2/keytab

With that, you tell Apache to use the Kerberos module for authentication (line 1); to allow for authentication by way of Kerberos tickets (line 2); to not allow for fallback to clear-text Basic Authentication (a sensible choice unless you are using SSL; line 3); to require that a user is logged on before anything is shown (line 4); and that the keytab file is where we just created it (line 5). Now don’t forget to restart your Apache server, and the server side is all done.

As for the client side, that’s fairly easy. If you use a gecko-based browser such as Firefox, browse to about:config and set the value network.negotiate-auth.trusted-uris to a subset of your hostname (I use grep.be ). If you use Konqueror, you don’t even need to do that—as long as Konqueror was built with kerberos support enabled, it will work out of the box.

IMAP

I guess the pattern is getting pretty predictable by now. The host principal for IMAP is imap/<host>@REALM.

There are quite a number of IMAP servers out there for UNIX-like operating systems; a fairly good one, which I can recommend in general even if you don’t want Kerberos, is Dovecot. To enable Kerberos authentication, you just need to add gssapi to the option for supported authentication mechanisms. The exact name of that configuration option depends on the version of dovecot you’re using; in the default configuration file of dovecot’s latest version, this is the configuration option mechanisms inside the auth default stanza.

For the client side, all you need to do is use a client that actually supports GSSAPI authentication. Evolution is one such client; just go to your account preferences and set the authentication mechanism to GSSAPI.

Wrapping up

Once the realm has been set up, configuring a client and a server to understand Kerberos between the two of them isn’t very hard; in fact, usually the hardest part is figuring out the right spelling for the service principal. With the few examples given above, I’m sure you can figure out some more for yourselves. And apart from HTTP, IMAP, and SSH, there are not only public-standard protocols such as LDAP and SMTP, but also specific-purpose protocols such as the protocol used between PostgreSQL clients and servers, that support Kerberos. A whole wealth of options!

Category: 
Hacking
Tagging: 
security
kerberos
authentication
howto

Author information

Wouter Verhelst's picture

Biography

Wouter is an independent contractor specializing on Free Software. In his free time, he contributes to the Debian Project as a Debian Developer.

Most forwarded

Interview with Dave Mohyla, of DTIDATA

Dave Mohyla is the president and founder of dtidata.com, a hard drive recovery facility based in Tampa, Florida.

TM: Where are you based? What does your company do?
DTI Data recovery is based in South Pasadena, Florida which is a suburb of Tampa. We have been here for over 10 years. We operate a bio-metrically secured class 100 clean room where we perform hard drive recovery on all types of hard disks, from laptop hard drives to multi drive RAID systems.

Anybody up to writing good directory software?

Since the very beginning, directories (of any kind) have had a very central role in the internet. (I have recently grown fond of Free Web Directory. Even Slashdot can be considered a directory: a collection of great news and invaluable user-generated comments. As far as software is concerned, doing a quick search on Google about software directories will return the free (as in freedom) software directories like Savannah, SourceForge, Freshmeat and so on, followed by shareware and freeware sites such as FileBuzz, PCWin Download Center and All Freeware (great if you're looking for shareware and freeware, but definitely less comprehensive than their free-as-in-freedom counterparts).

Interview with Mark Shuttleworth

Mark Shuttleworth is the founder of Thawte, the first Certification Authority to sell public SSL certificates. After selling Thawte to Verisign, Mark moved on to training as an astronaut in Russia and visiting space. Once he got back he founded Ubuntu, the leading GNU/Linux distribution. He agreed on releasing a quick interview to Free Software Magazine.

Is better education the key to finding better software?

I read David Jonathon's article Anybody Up To Writing Good Directory Software? the other day, which got me thinking about software directories in general. As David mentioned, many of the software directories one finds when doing a quick google search are free as in beer, not as in freedom. But what interests me is the software directories that already exist, providing a combination of both free as in beer software, and open source software. Sites such as Freeware Downloads and Shareware Download don't advertise themselves as providing free as in liberty software, but each of them have a good selection of open source software available... if you know where to look.

Most emailed

Free Open Document label templates

If you’ve ever spent hours at work doing mailings, cursed your printer for printing outside the lines on your labels, or moaned “There has got to be a better way to do this,” here’s the solution you’ve been looking for. Working smarter, not harder! Worldlabel.com, a manufacture of labels offers Open Office / Libre Office labels templates for downloading in ODF format which will save you time, effort, and (if you want) make really cool-looking labels

Creating a user-centric site in Drupal

A little while ago, while talking in the #drupal mailing list, I showed my latest creation to one of the core developers there. His reaction was "Wow, I am always surprised what people use Drupal for". His surprise is somehow justified: I did create a site for a bunch of entertainers in Perth, a company set to use Drupal to take over the world with Entertainers.Biz.

Update: since writing this article, I have updated the system so that the whole booking process happens online. I will update the article accordingly!

So, why, why do people and companies develop free software?

More and more people are discovering free software. Many people only do so after weeks, or even months, of using it. I wonder, for example, how many Firefox users actually know how free Firefox really is—many of them realise that you can get it for free, but find it hard to believe that anybody can modify it and even redistribute it legally.

When the discovery is made, the first instinct is to ask: why do they do it? Programming is hard work. Even though most (if not all) programmers are driven by their higher-than-normal IQs and their amazing passion for solving problems, it’s still hard to understand why so many of them would donate so much of their time to creating something that they can’t really show off to anybody but their colleagues or geek friends.

Sure, anybody can buy laptops, and just program. No need to get a full-on lab or spend thousands of dollars in equipment. But... is that the full story?

Fun articles

Santa Claus - the most successful open source project

It dawned on me the other day, as I was shopping for the dozens of gifts it seems I have to buy every December, that Santa Claus is the most successful open source project in history. (Bridget @ Illiterarty would agree with that). Santa Claus is essentially a marketing development that is embodied by everyone who stuffs a sock, gives a gift, hosts a dinner or wishes Merry Christmas over the holiday season.

Most emailed

Editorial

When I first started thinking about Free Software Magazine, I was feeling enthusiastic about the dream. I had Dave, Gianluca, and Alan willing to help me, I had established members of the free software community willing to help me out, I had writers volunteering their time and energy for free, and I had a generous offer from OpenHosting for servers, all before I'd proved myself. There was a sense of excitement in the air, and I thought maybe, just maybe, I could make this work.

Free Software Magazine uses Apollo project management software and CRM for its everyday activities!