| 1 | <h1>Exercise 1: Set up a kerberos client</h1> |
|---|
| 2 | |
|---|
| 3 | <p>A Kerberos client is easy to set up to work with existing Kerberos |
|---|
| 4 | infrastructure.</p> |
|---|
| 5 | |
|---|
| 6 | <h2>Setup</h2> |
|---|
| 7 | |
|---|
| 8 | <p>Install the Kerberos client packages:</p> |
|---|
| 9 | |
|---|
| 10 | <pre><code># apt-get install krb5-user |
|---|
| 11 | </code></pre> |
|---|
| 12 | |
|---|
| 13 | <p>To show how little configuration is really needed, we will move the |
|---|
| 14 | auto-generated config file out of the way (which contains a load of junk |
|---|
| 15 | anyway) and create a new minimal one with just 4 lines:</p> |
|---|
| 16 | |
|---|
| 17 | <pre><code># mv /etc/krb5.conf /etc/krb5.conf.example |
|---|
| 18 | # editor /etc/krb5.conf |
|---|
| 19 | |
|---|
| 20 | [libdefaults] |
|---|
| 21 | default_realm = WS.NSRC.ORG |
|---|
| 22 | dns_lookup_realm = true |
|---|
| 23 | dns_lookup_kdc = true |
|---|
| 24 | </code></pre> |
|---|
| 25 | |
|---|
| 26 | <p>Now check that the ssh client program will try Kerberos authentication. |
|---|
| 27 | It's enabled by default in Ubuntu, but in other operating systems it might |
|---|
| 28 | not be.</p> |
|---|
| 29 | |
|---|
| 30 | <pre><code># editor /etc/ssh/ssh_config (on MacOSX it's /etc/ssh_config) |
|---|
| 31 | |
|---|
| 32 | ... |
|---|
| 33 | GSSAPIAuthentication yes # check this line present (near end) |
|---|
| 34 | GSSAPIKeyExchange yes # add this line too |
|---|
| 35 | ... |
|---|
| 36 | </code></pre> |
|---|
| 37 | |
|---|
| 38 | <h2>Testing ssh client</h2> |
|---|
| 39 | |
|---|
| 40 | <p>The class Kerberos setup has an account "testuser" which you can use.</p> |
|---|
| 41 | |
|---|
| 42 | <pre><code>$ kinit testuser |
|---|
| 43 | ... enter password when prompted |
|---|
| 44 | (password is "nsrc2020" unless you've been told otherwise) |
|---|
| 45 | </code></pre> |
|---|
| 46 | |
|---|
| 47 | <p>Now you should now be able to login to servers in your Kerberos realm |
|---|
| 48 | without re-entering your password:</p> |
|---|
| 49 | |
|---|
| 50 | <pre><code>$ ssh testuser@noc.ws.nsrg.org |
|---|
| 51 | -- logout, then login somewhere else |
|---|
| 52 | |
|---|
| 53 | $ ssh testuser@s1.ws.nsrc.org |
|---|
| 54 | -- logout |
|---|
| 55 | </code></pre> |
|---|
| 56 | |
|---|
| 57 | <p>Have a look at the tickets you've picked up:</p> |
|---|
| 58 | |
|---|
| 59 | <pre><code>$ klist |
|---|
| 60 | </code></pre> |
|---|
| 61 | |
|---|
| 62 | <p>You should see your own TGT plus tickets for the servers you've connected |
|---|
| 63 | to.</p> |
|---|
| 64 | |
|---|
| 65 | <p>To get rid of them, use <code>kdestroy</code>; check that you can no longer login |
|---|
| 66 | (the server will give you a password prompt instead)</p> |
|---|
| 67 | |
|---|
| 68 | <hr /> |
|---|
| 69 | |
|---|
| 70 | <h1>Reference material [not part of the exercise]</h1> |
|---|
| 71 | |
|---|
| 72 | <p>We've actually enabled two different authentication mechanisms. |
|---|
| 73 | <code>GSSAPIAuthentication</code> is the standard one (gssapi-with-mic), and just |
|---|
| 74 | authenticates the user. <code>GSSAPIKeyExchange</code> is a new one (gssapi-keyex) |
|---|
| 75 | which also validates the authenticity of the host. It avoids the need |
|---|
| 76 | to accept host keys into your <code>known_hosts</code> file, because Kerberos already |
|---|
| 77 | provides mutual authentication.</p> |
|---|
| 78 | |
|---|
| 79 | <p><code>GSSAPIKeyExchange</code> is available as a patch to ssh, and is included by |
|---|
| 80 | default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably |
|---|
| 81 | won't work when connecting to older Unix boxes or to BSD boxes, in |
|---|
| 82 | which case you'll fall back to gssapi-with-mic.</p> |
|---|
| 83 | |
|---|
| 84 | <p>More info at http://www.sxw.org.uk/computing/patches/openssh.html</p> |
|---|
| 85 | |
|---|
| 86 | <h2>Enabling Kerberos in HTTP clients</h2> |
|---|
| 87 | |
|---|
| 88 | <p>For curl, you must supply an empty username and password in option <code>-u</code></p> |
|---|
| 89 | |
|---|
| 90 | <pre><code>$ curl --negotiate -u: http://noc.ws.nsrc.org/secure/ |
|---|
| 91 | </code></pre> |
|---|
| 92 | |
|---|
| 93 | <p>For Firefox:</p> |
|---|
| 94 | |
|---|
| 95 | <ul> |
|---|
| 96 | <li>Go to <code>about:config</code></li> |
|---|
| 97 | <li>Filter on "negotiate"</li> |
|---|
| 98 | <li><code>network.negotiate-auth.trusted-uris ws.nsrc.org</code></li> |
|---|
| 99 | </ul> |
|---|
| 100 | |
|---|
| 101 | <p>For Google Chrome: apply the option when starting it up:</p> |
|---|
| 102 | |
|---|
| 103 | <pre><code>/opt/google/chrome/google-chrome \ |
|---|
| 104 | --auth-server-whitelist=*.ws.nsrc.org |
|---|
| 105 | </code></pre> |
|---|
| 106 | |
|---|
| 107 | <h2>Enabling Kerberos in LDAP client</h2> |
|---|
| 108 | |
|---|
| 109 | <p>Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed.</p> |
|---|
| 110 | |
|---|
| 111 | <pre><code># apt-get install ldap-utils libsasl2-modules-gssapi-mit |
|---|
| 112 | |
|---|
| 113 | $ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \ |
|---|
| 114 | -b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)" |
|---|
| 115 | </code></pre> |
|---|