Agenda: ex1-kerberos-client.html

<h1>Exercise 1: Set up a kerberos client</h1>

<p>A Kerberos client is easy to set up to work with existing Kerberos
infrastructure.</p>

<h2>Setup</h2>

<p>Install the Kerberos client packages:</p>

<pre><code># apt-get install krb5-user
</code></pre>

<p>To show how little configuration is really needed, we will move the
auto-generated config file out of the way (which contains a load of junk
anyway) and create a new minimal one with just 4 lines:</p>

<pre><code># mv /etc/krb5.conf /etc/krb5.conf.example
# editor /etc/krb5.conf

[libdefaults]
default_realm = WS.NSRC.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
</code></pre>

<p>Now check that the ssh client program will try Kerberos authentication. 
It's enabled by default in Ubuntu, but in other operating systems it might
not be.</p>

<pre><code># editor /etc/ssh/ssh_config      (on MacOSX it's /etc/ssh_config)

...
GSSAPIAuthentication yes    # check this line present (near end)
GSSAPIKeyExchange yes       # add this line too
...
</code></pre>

<h2>Testing ssh client</h2>

<p>The class Kerberos setup has an account "testuser" which you can use.</p>

<pre><code>$ kinit testuser
... enter password when prompted
(password is "nsrc2020" unless you've been told otherwise)
</code></pre>

<p>Now you should now be able to login to servers in your Kerberos realm
without re-entering your password:</p>

<pre><code>$ ssh testuser@noc.ws.nsrg.org
-- logout, then login somewhere else

$ ssh testuser@s1.ws.nsrc.org
-- logout
</code></pre>

<p>Have a look at the tickets you've picked up:</p>

<pre><code>$ klist
</code></pre>

<p>You should see your own TGT plus tickets for the servers you've connected
to.</p>

<p>To get rid of them, use <code>kdestroy</code>; check that you can no longer login
(the server will give you a password prompt instead)</p>

<hr />

<h1>Reference material [not part of the exercise]</h1>

<p>We've actually enabled two different authentication mechanisms.
<code>GSSAPIAuthentication</code> is the standard one (gssapi-with-mic), and just
authenticates the user. <code>GSSAPIKeyExchange</code> is a new one (gssapi-keyex)
which also validates the authenticity of the host. It avoids the need
to accept host keys into your <code>known_hosts</code> file, because Kerberos already
provides mutual authentication.</p>

<p><code>GSSAPIKeyExchange</code> is available as a patch to ssh, and is included by
default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably
won't work when connecting to older Unix boxes or to BSD boxes, in
which case you'll fall back to gssapi-with-mic.</p>

<p>More info at http://www.sxw.org.uk/computing/patches/openssh.html</p>

<h2>Enabling Kerberos in HTTP clients</h2>

<p>For curl, you must supply an empty username and password in option <code>-u</code></p>

<pre><code>$ curl --negotiate -u: http://noc.ws.nsrc.org/secure/
</code></pre>

<p>For Firefox:</p>

<ul>
<li>Go to <code>about:config</code></li>
<li>Filter on "negotiate"</li>
<li><code>network.negotiate-auth.trusted-uris   ws.nsrc.org</code></li>
</ul>

<p>For Google Chrome: apply the option when starting it up:</p>

<pre><code>/opt/google/chrome/google-chrome \
  --auth-server-whitelist=*.ws.nsrc.org
</code></pre>

<h2>Enabling Kerberos in LDAP client</h2>

<p>Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed.</p>

<pre><code># apt-get install ldap-utils libsasl2-modules-gssapi-mit

$ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \
    -b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)"
</code></pre>