Agenda: ex1-kerberos-client.html

File ex1-kerberos-client.html, 3.4 KB (added by admin, 8 years ago)
Line 
1<h1>Exercise 1: Set up a kerberos client</h1>
2
3<p>A Kerberos client is easy to set up to work with existing Kerberos
4infrastructure.</p>
5
6<h2>Setup</h2>
7
8<p>Install the Kerberos client packages:</p>
9
10<pre><code># apt-get install krb5-user
11</code></pre>
12
13<p>To show how little configuration is really needed, we will move the
14auto-generated config file out of the way (which contains a load of junk
15anyway) and create a new minimal one with just 4 lines:</p>
16
17<pre><code># mv /etc/krb5.conf /etc/krb5.conf.example
18# editor /etc/krb5.conf
19
20[libdefaults]
21default_realm = WS.NSRC.ORG
22dns_lookup_realm = true
23dns_lookup_kdc = true
24</code></pre>
25
26<p>Now check that the ssh client program will try Kerberos authentication.
27It's enabled by default in Ubuntu, but in other operating systems it might
28not be.</p>
29
30<pre><code># editor /etc/ssh/ssh_config      (on MacOSX it's /etc/ssh_config)
31
32...
33GSSAPIAuthentication yes    # check this line present (near end)
34GSSAPIKeyExchange yes       # add this line too
35...
36</code></pre>
37
38<h2>Testing ssh client</h2>
39
40<p>The class Kerberos setup has an account "testuser" which you can use.</p>
41
42<pre><code>$ kinit testuser
43... enter password when prompted
44(password is "nsrc2020" unless you've been told otherwise)
45</code></pre>
46
47<p>Now you should now be able to login to servers in your Kerberos realm
48without re-entering your password:</p>
49
50<pre><code>$ ssh testuser@noc.ws.nsrg.org
51-- logout, then login somewhere else
52
53$ ssh testuser@s1.ws.nsrc.org
54-- logout
55</code></pre>
56
57<p>Have a look at the tickets you've picked up:</p>
58
59<pre><code>$ klist
60</code></pre>
61
62<p>You should see your own TGT plus tickets for the servers you've connected
63to.</p>
64
65<p>To get rid of them, use <code>kdestroy</code>; check that you can no longer login
66(the server will give you a password prompt instead)</p>
67
68<hr />
69
70<h1>Reference material [not part of the exercise]</h1>
71
72<p>We've actually enabled two different authentication mechanisms.
73<code>GSSAPIAuthentication</code> is the standard one (gssapi-with-mic), and just
74authenticates the user. <code>GSSAPIKeyExchange</code> is a new one (gssapi-keyex)
75which also validates the authenticity of the host. It avoids the need
76to accept host keys into your <code>known_hosts</code> file, because Kerberos already
77provides mutual authentication.</p>
78
79<p><code>GSSAPIKeyExchange</code> is available as a patch to ssh, and is included by
80default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably
81won't work when connecting to older Unix boxes or to BSD boxes, in
82which case you'll fall back to gssapi-with-mic.</p>
83
84<p>More info at http://www.sxw.org.uk/computing/patches/openssh.html</p>
85
86<h2>Enabling Kerberos in HTTP clients</h2>
87
88<p>For curl, you must supply an empty username and password in option <code>-u</code></p>
89
90<pre><code>$ curl --negotiate -u: http://noc.ws.nsrc.org/secure/
91</code></pre>
92
93<p>For Firefox:</p>
94
95<ul>
96<li>Go to <code>about:config</code></li>
97<li>Filter on "negotiate"</li>
98<li><code>network.negotiate-auth.trusted-uris   ws.nsrc.org</code></li>
99</ul>
100
101<p>For Google Chrome: apply the option when starting it up:</p>
102
103<pre><code>/opt/google/chrome/google-chrome \
104  --auth-server-whitelist=*.ws.nsrc.org
105</code></pre>
106
107<h2>Enabling Kerberos in LDAP client</h2>
108
109<p>Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed.</p>
110
111<pre><code># apt-get install ldap-utils libsasl2-modules-gssapi-mit
112
113$ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \
114    -b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)"
115</code></pre>