1 | <h1>Exercise 1: Set up a kerberos client</h1> |
---|
2 | |
---|
3 | <p>A Kerberos client is easy to set up to work with existing Kerberos |
---|
4 | infrastructure.</p> |
---|
5 | |
---|
6 | <h2>Setup</h2> |
---|
7 | |
---|
8 | <p>Install the Kerberos client packages:</p> |
---|
9 | |
---|
10 | <pre><code># apt-get install krb5-user |
---|
11 | </code></pre> |
---|
12 | |
---|
13 | <p>To show how little configuration is really needed, we will move the |
---|
14 | auto-generated config file out of the way (which contains a load of junk |
---|
15 | anyway) and create a new minimal one with just 4 lines:</p> |
---|
16 | |
---|
17 | <pre><code># mv /etc/krb5.conf /etc/krb5.conf.example |
---|
18 | # editor /etc/krb5.conf |
---|
19 | |
---|
20 | [libdefaults] |
---|
21 | default_realm = WS.NSRC.ORG |
---|
22 | dns_lookup_realm = true |
---|
23 | dns_lookup_kdc = true |
---|
24 | </code></pre> |
---|
25 | |
---|
26 | <p>Now check that the ssh client program will try Kerberos authentication. |
---|
27 | It's enabled by default in Ubuntu, but in other operating systems it might |
---|
28 | not be.</p> |
---|
29 | |
---|
30 | <pre><code># editor /etc/ssh/ssh_config (on MacOSX it's /etc/ssh_config) |
---|
31 | |
---|
32 | ... |
---|
33 | GSSAPIAuthentication yes # check this line present (near end) |
---|
34 | GSSAPIKeyExchange yes # add this line too |
---|
35 | ... |
---|
36 | </code></pre> |
---|
37 | |
---|
38 | <h2>Testing ssh client</h2> |
---|
39 | |
---|
40 | <p>The class Kerberos setup has an account "testuser" which you can use.</p> |
---|
41 | |
---|
42 | <pre><code>$ kinit testuser |
---|
43 | ... enter password when prompted |
---|
44 | (password is "nsrc2020" unless you've been told otherwise) |
---|
45 | </code></pre> |
---|
46 | |
---|
47 | <p>Now you should now be able to login to servers in your Kerberos realm |
---|
48 | without re-entering your password:</p> |
---|
49 | |
---|
50 | <pre><code>$ ssh testuser@noc.ws.nsrg.org |
---|
51 | -- logout, then login somewhere else |
---|
52 | |
---|
53 | $ ssh testuser@s1.ws.nsrc.org |
---|
54 | -- logout |
---|
55 | </code></pre> |
---|
56 | |
---|
57 | <p>Have a look at the tickets you've picked up:</p> |
---|
58 | |
---|
59 | <pre><code>$ klist |
---|
60 | </code></pre> |
---|
61 | |
---|
62 | <p>You should see your own TGT plus tickets for the servers you've connected |
---|
63 | to.</p> |
---|
64 | |
---|
65 | <p>To get rid of them, use <code>kdestroy</code>; check that you can no longer login |
---|
66 | (the server will give you a password prompt instead)</p> |
---|
67 | |
---|
68 | <hr /> |
---|
69 | |
---|
70 | <h1>Reference material [not part of the exercise]</h1> |
---|
71 | |
---|
72 | <p>We've actually enabled two different authentication mechanisms. |
---|
73 | <code>GSSAPIAuthentication</code> is the standard one (gssapi-with-mic), and just |
---|
74 | authenticates the user. <code>GSSAPIKeyExchange</code> is a new one (gssapi-keyex) |
---|
75 | which also validates the authenticity of the host. It avoids the need |
---|
76 | to accept host keys into your <code>known_hosts</code> file, because Kerberos already |
---|
77 | provides mutual authentication.</p> |
---|
78 | |
---|
79 | <p><code>GSSAPIKeyExchange</code> is available as a patch to ssh, and is included by |
---|
80 | default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably |
---|
81 | won't work when connecting to older Unix boxes or to BSD boxes, in |
---|
82 | which case you'll fall back to gssapi-with-mic.</p> |
---|
83 | |
---|
84 | <p>More info at http://www.sxw.org.uk/computing/patches/openssh.html</p> |
---|
85 | |
---|
86 | <h2>Enabling Kerberos in HTTP clients</h2> |
---|
87 | |
---|
88 | <p>For curl, you must supply an empty username and password in option <code>-u</code></p> |
---|
89 | |
---|
90 | <pre><code>$ curl --negotiate -u: http://noc.ws.nsrc.org/secure/ |
---|
91 | </code></pre> |
---|
92 | |
---|
93 | <p>For Firefox:</p> |
---|
94 | |
---|
95 | <ul> |
---|
96 | <li>Go to <code>about:config</code></li> |
---|
97 | <li>Filter on "negotiate"</li> |
---|
98 | <li><code>network.negotiate-auth.trusted-uris ws.nsrc.org</code></li> |
---|
99 | </ul> |
---|
100 | |
---|
101 | <p>For Google Chrome: apply the option when starting it up:</p> |
---|
102 | |
---|
103 | <pre><code>/opt/google/chrome/google-chrome \ |
---|
104 | --auth-server-whitelist=*.ws.nsrc.org |
---|
105 | </code></pre> |
---|
106 | |
---|
107 | <h2>Enabling Kerberos in LDAP client</h2> |
---|
108 | |
---|
109 | <p>Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed.</p> |
---|
110 | |
---|
111 | <pre><code># apt-get install ldap-utils libsasl2-modules-gssapi-mit |
---|
112 | |
---|
113 | $ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \ |
---|
114 | -b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)" |
---|
115 | </code></pre> |
---|