Agenda: ex1-kerberos-client.txt

File ex1-kerberos-client.txt, 3.3 KB (added by admin, 8 years ago)

Introduction to Kerberos Lab

Line 
1Exercise 1: Set up a kerberos client
2====================================
3
4A Kerberos client is easy to set up to work with existing Kerberos
5infrastructure.
6
7Setup
8-----
9
10Install the Kerberos client packages:
11
12    # apt-get install krb5-user
13
14To show how little configuration is really needed, we will move the
15auto-generated config file out of the way (which contains a load of junk
16anyway) and create a new minimal one with just 4 lines:
17
18    # mv /etc/krb5.conf /etc/krb5.conf.example
19    # editor /etc/krb5.conf
20
21    [libdefaults]
22    default_realm = WS.NSRC.ORG
23    dns_lookup_realm = true
24    dns_lookup_kdc = true
25
26Now check that the ssh client program will try Kerberos authentication.
27It's enabled by default in Ubuntu, but in other operating systems it might
28not be.
29
30    # editor /etc/ssh/ssh_config      (on MacOSX it's /etc/ssh_config)
31
32    ...
33    GSSAPIAuthentication yes    # check this line present (near end)
34    GSSAPIKeyExchange yes       # add this line too
35    ...
36
37Testing ssh client
38------------------
39
40The class Kerberos setup has an account "testuser" which you can use.
41
42    $ kinit testuser
43    ... enter password when prompted
44    (password is "nsrc2020" unless you've been told otherwise)
45
46Now you should now be able to login to servers in your Kerberos realm
47without re-entering your password:
48
49    $ ssh testuser@noc.ws.nsrg.org
50    -- logout, then login somewhere else
51
52    $ ssh testuser@s1.ws.nsrc.org
53    -- logout
54
55Have a look at the tickets you've picked up:
56
57    $ klist
58
59You should see your own TGT plus tickets for the servers you've connected
60to.
61
62To get rid of them, use `kdestroy`; check that you can no longer login
63(the server will give you a password prompt instead)
64
65
66-----------------------------------------------------------------------
67
68Reference material [not part of the exercise]
69==================
70
71We've actually enabled two different authentication mechanisms.
72`GSSAPIAuthentication` is the standard one (gssapi-with-mic), and just
73authenticates the user. `GSSAPIKeyExchange` is a new one (gssapi-keyex)
74which also validates the authenticity of the host. It avoids the need
75to accept host keys into your `known_hosts` file, because Kerberos already
76provides mutual authentication.
77
78`GSSAPIKeyExchange` is available as a patch to ssh, and is included by
79default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably
80won't work when connecting to older Unix boxes or to BSD boxes, in
81which case you'll fall back to gssapi-with-mic.
82
83More info at http://www.sxw.org.uk/computing/patches/openssh.html
84
85Enabling Kerberos in HTTP clients
86---------------------------------
87
88For curl, you must supply an empty username and password in option `-u`
89
90    $ curl --negotiate -u: http://noc.ws.nsrc.org/secure/
91
92For Firefox:
93
94* Go to `about:config`
95* Filter on "negotiate"
96* `network.negotiate-auth.trusted-uris   ws.nsrc.org`
97
98For Google Chrome: apply the option when starting it up:
99
100    /opt/google/chrome/google-chrome \
101      --auth-server-whitelist=*.ws.nsrc.org
102
103Enabling Kerberos in LDAP client
104--------------------------------
105
106Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed.
107
108    # apt-get install ldap-utils libsasl2-modules-gssapi-mit
109
110    $ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \
111        -b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)"
112