1 | Exercise 1: Set up a kerberos client |
---|
2 | ==================================== |
---|
3 | |
---|
4 | A Kerberos client is easy to set up to work with existing Kerberos |
---|
5 | infrastructure. |
---|
6 | |
---|
7 | Setup |
---|
8 | ----- |
---|
9 | |
---|
10 | Install the Kerberos client packages: |
---|
11 | |
---|
12 | # apt-get install krb5-user |
---|
13 | |
---|
14 | To show how little configuration is really needed, we will move the |
---|
15 | auto-generated config file out of the way (which contains a load of junk |
---|
16 | anyway) and create a new minimal one with just 4 lines: |
---|
17 | |
---|
18 | # mv /etc/krb5.conf /etc/krb5.conf.example |
---|
19 | # editor /etc/krb5.conf |
---|
20 | |
---|
21 | [libdefaults] |
---|
22 | default_realm = WS.NSRC.ORG |
---|
23 | dns_lookup_realm = true |
---|
24 | dns_lookup_kdc = true |
---|
25 | |
---|
26 | Now check that the ssh client program will try Kerberos authentication. |
---|
27 | It's enabled by default in Ubuntu, but in other operating systems it might |
---|
28 | not be. |
---|
29 | |
---|
30 | # editor /etc/ssh/ssh_config (on MacOSX it's /etc/ssh_config) |
---|
31 | |
---|
32 | ... |
---|
33 | GSSAPIAuthentication yes # check this line present (near end) |
---|
34 | GSSAPIKeyExchange yes # add this line too |
---|
35 | ... |
---|
36 | |
---|
37 | Testing ssh client |
---|
38 | ------------------ |
---|
39 | |
---|
40 | The class Kerberos setup has an account "testuser" which you can use. |
---|
41 | |
---|
42 | $ kinit testuser |
---|
43 | ... enter password when prompted |
---|
44 | (password is "nsrc2020" unless you've been told otherwise) |
---|
45 | |
---|
46 | Now you should now be able to login to servers in your Kerberos realm |
---|
47 | without re-entering your password: |
---|
48 | |
---|
49 | $ ssh testuser@noc.ws.nsrg.org |
---|
50 | -- logout, then login somewhere else |
---|
51 | |
---|
52 | $ ssh testuser@s1.ws.nsrc.org |
---|
53 | -- logout |
---|
54 | |
---|
55 | Have a look at the tickets you've picked up: |
---|
56 | |
---|
57 | $ klist |
---|
58 | |
---|
59 | You should see your own TGT plus tickets for the servers you've connected |
---|
60 | to. |
---|
61 | |
---|
62 | To get rid of them, use `kdestroy`; check that you can no longer login |
---|
63 | (the server will give you a password prompt instead) |
---|
64 | |
---|
65 | |
---|
66 | ----------------------------------------------------------------------- |
---|
67 | |
---|
68 | Reference material [not part of the exercise] |
---|
69 | ================== |
---|
70 | |
---|
71 | We've actually enabled two different authentication mechanisms. |
---|
72 | `GSSAPIAuthentication` is the standard one (gssapi-with-mic), and just |
---|
73 | authenticates the user. `GSSAPIKeyExchange` is a new one (gssapi-keyex) |
---|
74 | which also validates the authenticity of the host. It avoids the need |
---|
75 | to accept host keys into your `known_hosts` file, because Kerberos already |
---|
76 | provides mutual authentication. |
---|
77 | |
---|
78 | `GSSAPIKeyExchange` is available as a patch to ssh, and is included by |
---|
79 | default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably |
---|
80 | won't work when connecting to older Unix boxes or to BSD boxes, in |
---|
81 | which case you'll fall back to gssapi-with-mic. |
---|
82 | |
---|
83 | More info at http://www.sxw.org.uk/computing/patches/openssh.html |
---|
84 | |
---|
85 | Enabling Kerberos in HTTP clients |
---|
86 | --------------------------------- |
---|
87 | |
---|
88 | For curl, you must supply an empty username and password in option `-u` |
---|
89 | |
---|
90 | $ curl --negotiate -u: http://noc.ws.nsrc.org/secure/ |
---|
91 | |
---|
92 | For Firefox: |
---|
93 | |
---|
94 | * Go to `about:config` |
---|
95 | * Filter on "negotiate" |
---|
96 | * `network.negotiate-auth.trusted-uris ws.nsrc.org` |
---|
97 | |
---|
98 | For Google Chrome: apply the option when starting it up: |
---|
99 | |
---|
100 | /opt/google/chrome/google-chrome \ |
---|
101 | --auth-server-whitelist=*.ws.nsrc.org |
---|
102 | |
---|
103 | Enabling Kerberos in LDAP client |
---|
104 | -------------------------------- |
---|
105 | |
---|
106 | Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed. |
---|
107 | |
---|
108 | # apt-get install ldap-utils libsasl2-modules-gssapi-mit |
---|
109 | |
---|
110 | $ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \ |
---|
111 | -b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)" |
---|
112 | |
---|