FreeBSD 5.2.x + Kerberos HOWTO ============================== http://shankerbalan.com/ Overview ======== FreeBSD 5.2.x ships with Heimdal Kerberos in base. The following document describes how to set up Kerberos V with the least amount of steps. It will will be nice to have a distrbuted network which uses Kerberos for authentication and LDAP for name service lookups. Time permitting, I would like to implement support for managing Heimdal Kerberos accounts via my EzLDAP scripts available to http://shankerbalan.com/ezldap.php. There is some rudimentary support (nasty hacks) for it in the source right now. RedHat ships with a nice GNOME/Gtk GUI for kinit. Can't find it in ports though. Setting Up Heimdal Kerberos ============================ See http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html # # /etc/krb5.conf # [libdefaults] default_realm = MYDOMAIN [realms] MYDOMAIN = { kdc = godzilla.mydomain.com } [domain_realm] .mydomain.com = MYDOMAIN root# kstash Master key: password1234 Verifying password - Master key: password1234 root# kadmin -l kadmin> init EXCORE Realm max ticket life [unlimited]: kadmin> add shanu Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: Password: secret1234 Verifying password - Password: secret1234 # # /etc/rc.conf # kerberos5_server_enable="YES" # Run a kerberos 5 master server (or NO). kadmind5_server_enable="YES" # Run kadmind (or NO) kpasswdd_server_enable="YES" # Run kpasswdd (or NO) root# /etc/rc.d/kerberos start root# /etc/rc.d/kadmind start root# /etc/rc.d/kpasswdd start root# tail -f /var/heimdal/kdc.log As user "shanu": [godzilla] ~> klist klist: No ticket file: /tmp/krb5cc_1004 [godzilla] ~> kinit shanu@MYDOMAIN's Password: secret1234 [godzilla] ~> klist Credentials cache: FILE:/tmp/krb5cc_1004 Principal: shanu@MYDOMAIN Issued Expires Principal Mar 12 11:38:51 Mar 12 21:38:51 krbtgt/MYDOMAIN@MYDOMAIN And in "kdc.log": 2004-03-12T11:38:51 AS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for krbtgt/MYDOMAIN@MYDOMAIN Srvtab Entry ============ root# kadmin kadmin> add --random-key host/godzilla.mydomain.com Max ticket life [unlimited]: Max renewable life [unlimited]: Attributes []: kadmin> ext host/godzilla.mydomain.com PAM + Kerberos ============== root# cd /etc/pam.d/ Uncomment the following lines in each pam.d service file to enable Kerberos authentication via the pam_krb.so module. # auth auth sufficient pam_krb5.so no_warn try_first_pass # account account required pam_krb5.so Telnet + Kerberos ================= # # /etc/inetd.conf # telnet stream tcp nowait root /usr/libexec/telnetd telnetd -a user telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd -a user root# /etc/rc.d/inetd restart OpenSSH + Kerberos ================== See http://marc.theaimsgroup.com/?l=freebsd-current&m=107905791510665&w=2 "3.7.1 and 3.8 use different, incompatible GSSAPI mechanisms. You need to run the same version in both ends." [godzilla] /etc/pam.d> ssh -V OpenSSH_3.8p1 FreeBSD-20040226, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 # # /etc/ssh/sshd_config # # Kerberos options KerberosAuthentication yes #KerberosOrLocalPasswd yes #KerberosTicketCleanup no #KerberosGetAFSToken no # GSSAPI options GSSAPIAuthentication yes GSSAPICleanupCredentials yes # # /etc/ssh/ssh_config # GSSAPIAuthentication yes GSSAPIDelegateCredentials yes [godzilla] ~> ssh -v godzilla OpenSSH_3.8p1 FreeBSD-20040226, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003 [..] debug1: Authentications that can continue: publickey,gssapi-with-mic,keyboard-interactive debug1: Next authentication method: gssapi-with-mic debug1: Delegating credentials debug1: Delegating credentials debug1: Authentication succeeded (gssapi-with-mic). [..] [godzilla] ~> root# tail -f /var/heimdal/kdc.log 2004-03-12T11:46:57 TGS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for host/godzilla.mydomain.com@MYDOMAIN 2004-03-12T11:46:57 TGS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for krbtgt/MYDOMAIN@MYDOMAIN [forwarded, forwardable] Postfix + Kerberos + SMTP AUTH ============================== Recompile cyrus-sasl2 with "MAKE_KERBEROS5=yes" # # /usr/local/etc/postfix/main.cf # # Enable SMTP auth smtpd_sasl_auth_enable = yes [godzilla] ~> telnet localhost 25 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 godzilla.mydomain.com ESMTP Postfix ehlo there 250-godzilla.mydomain.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-AUTH NTLM LOGIN PLAIN GSSAPI DIGEST-MD5 CRAM-MD5 250-XVERP 250 8BITMIME quit 221 Bye Connection closed by foreign host. [godzilla] ~> ** NOTE ** I have not tested whether this works. I am not aware of a mail client which does GSSAPI right now. OpenLDAP + Kerberos =================== OpenLDAP if compiled with cyrus-sasl (which inturn has been compiled with Kerberos support) will accept GSSAPI logins now. [godzilla] ~# kadmin -l kadmin> add -r ldap/godzilla.mydomain.com@MYDOMAIN kadmin>ext ldap/godzilla.mydomain.com kadmin> exit [godzilla] ~# chgrp ldap /etc/krb5.keytab [godzilla] ~# chmod g+r /etc/krb5.keytab [godzilla] ~# chgrp ldap /usr/local/etc/sasldb2 [godzilla] ~# ls -l /usr/local/etc/sasldb2 -rw-r----- 1 cyrus ldap 24576 Mar 12 10:59 /usr/local/etc/sasldb2 [godzilla] ~# ls -l /etc/krb5.keytab -rw-r----- 1 root ldap 578 Mar 12 14:05 /etc/krb5.keytab [godzilla] > ldapsearch -h localhost -I -b "" -s base -LLL supportedSASLMechanisms SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: SASL username: shanu@MYDOMAIN SASL SSF: 56 SASL installing layers dn: supportedSASLMechanisms: NTLM supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: CRAM-MD5 root# tail -f /var/heimdal/kdc.log 2004-03-12T14:06:25 AS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for krbtgt/MYDOMAIN@MYDOMAIN 2004-03-12T14:06:28 TGS-REQ shanu@MYDOMAIN from IPv4:192.168.1.24 for ldap/godzilla.mydomain.com@MYDOMAIN # # slapd.conf # sasl-realm MYDOMAIN sasl-host godzilla.mydomain.com sasl-regexp uid=(.*),cn=MYDOMAIN,cn=gssapi,cn=auth ldap:///dc=mydomain,dc=com??sub?(uid=$1) # ACLs # Allows users access to their passwords access to attribute=userPassword,sambaLMPassword,sambaNTPassword by dn="cn=manager,dc=mydomain,dc=com" write by anonymous auth by self write by * none root# /etc/rc.d/slapd restart --> Add a user entry "shanu" into LDAP [godzilla] ~> kdestroy [godzilla] ~> kinit shanu@MYDOMAIN's Password: secret1234 [godzilla] > ldapwhoami SASL/GSSAPI authentication started SASL username: shanu@MYDOMAIN SASL SSF: 56 SASL installing layers dn:uid=shanu,ou=people,dc=mydomain,dc=com [godzilla] ~> ldapsearch -h localhost -I -b"dc=mydomain,dc=com" uid=shanu userPassword SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: SASL username: shanu@MYDOMAIN SASL SSF: 56 SASL installing layers # extended LDIF # # LDAPv3 # base with scope sub # filter: uid=shanu # requesting: userPassword # # shanu, people, mydomain.com dn: uid=shanu,ou=people,dc=mydomain,dc=com userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX= # search result search: 5 result: 0 Success # numResponses: 2 The same thing after a "kdestroy" [godzilla] ~> kdestroy [godzilla] ~> ldapsearch -h localhost -I -b"dc=mydomain,dc=com" uid=shanu userPassword SASL/GSSAPI authentication started SASL Interaction Please enter your authorization name: ldap_sasl_interactive_bind_s: Local error (82) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (open(/tmp/krb5cc_1004): No such file or directory) TaDa! See: More work on Kerberos/LDAP/Samba intergration http://marc.theaimsgroup.com/?l=samba-technical&m=107797135318875&w=2 Resources ========= FreeBSD Handbook: 10.7 Kerberos5 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos5.html What is Heimdal? http://www.pdc.kth.se/heimdal/heimdal.html FreeBSD Security Mailing Lists http://marc.theaimsgroup.com/?l=freebsd-security Changelog: * Fri Mar 12 11:32:13 IST 2004 - First cut