Personal tools
You are here: Home Documentation Security Configuring kerberos on newer Linux distributions
Views
Document Actions

Configuring kerberos on newer Linux distributions

by Troy Dawson last modified 2015-05-22 10:19
History
Action Performed by Date and Time Comment
Publish Troy Dawson 2008-11-20 11:39 No comments.

Configuring your machine to work with Fermiab - for newer Linux distributions.

These instructions are for newer Linux distributions. A newer Linux distribution has openssh 4.0 or higher. It also has newer versions of kerberos and pam_krb5. Exactly which versions of kerberos and pam_krb5 meet the criteria, but thus far, every distrubtion that comes standard with openssh 4.0 or higher has had all the other correct components.
These distributions have been tested and work with these instructions

  • Scientific Linux 5.0 and above
  • RHEL 5 and above
  • Fedora 8 and above
  • Ubuntu 8.0.4 and above
  • Others? - Let me know so I can add to the list

Outbound Only

  • Install kinit
    Many distributions are not including kinit in the standard install. But it is quite easy to install it. The hardest thing is figuring out which package it is in.
    • SL, RHEL, Fedora - krb5-workstation
      yum install krb5-workstation
    • Ubuntu, Debian - krb5-user
      apt-get install krb5-user
  • Configure your krb5.conf
    1. wget http://security.fnal.gov/krb5.conf
    2. mv /etc/krb5.conf /etc/krb5.conf.save
    3. mv krb5.conf /etc/krb5.conf
  • Configure your openssh client to pass kerberos tickets properly
    Edit your /etc/ssh/ssh_config
    Details on what to change

Outbound and Inbound


Note: Inbound kerberos connections can be handled with normal openssh, kerberos, and pam_krb5. The only difference is that you will not have Cryptocard login support.
  1. Install kinit
    Many distributions are not including kinit in the standard install. But it is quite easy to install it. The hardest thing is figuring out which package it is in.
    • SL, RHEL, Fedora - krb5-workstation
      yum install krb5-workstation
    • Ubuntu, Debian - krb5-user
      apt-get install krb5-user
  2. Configure your krb5.conf
      If your distribution is rpm based
    • rpm -Uvh ftp://linux.fnal.gov/linux/fermi/contrib/kerberos/sl5x/i386/krb5-fermi-config-current.rpm
    OR
      If your distribution is *not* rpm based or you feel better doing this
    1. wget http://security.fnal.gov/krb5.conf
    2. mv /etc/krb5.conf /etc/krb5.conf.save
    3. mv krb5.conf /etc/krb5.conf
  3. Get a host principal password  from here
  4. This is the one step, where installing Fermilab's kerberos makes things easier.
      If you installed krb5-fermi-config-current.rpm in a previous step
    • /usr/krb5/config/makehostkeys  
      {password} is the password sent to you in the previous step.
    OR
      If you did *not* install krb5-fermi-config-current.rpm in a previous step
    • kadmin -r FNAL.GOV -p host/{full.host.name}@FNAL.GOV -w {password} -q "ktadd host/{full.host.name}@FNAL.GOV"
      {full.host.name} is the full name for the computer. Basically what you put down on the form in the previous step.
      {password} is the password sent to you in the previous step.
  5. Configure your openssh client to pass kerberos tickets properly
    Edit your /etc/ssh/ssh_config
    Details on what to change
  6. Install openssh-server
    Many distributions are not including openssh-server in the standard install. But it is quite easy to install it.
    • SL, RHEL, Fedora - openssh-server
      yum install openssh-server
    • Ubuntu, Debian - openssh-server
      apt-get install openssh-server
  7. Configure your openssh daemon to do kerberos authentication only
    • Edit your /etc/ssh/sshd_config
      Details on what to change
    • Restart your ssh daemon
      /etc/init.d/sshd restart
    • Make sure you have a hole punched in your firewall for ssh (port 22)
      You are on your own here

Powered by Plone, the Open Source Content Management System

This site conforms to the following standards: