| 1 | Exercise 1: Set up a kerberos client |
|---|
| 2 | ==================================== |
|---|
| 3 | |
|---|
| 4 | A Kerberos client is easy to set up to work with existing Kerberos |
|---|
| 5 | infrastructure. |
|---|
| 6 | |
|---|
| 7 | Setup |
|---|
| 8 | ----- |
|---|
| 9 | |
|---|
| 10 | Install the Kerberos client packages: |
|---|
| 11 | |
|---|
| 12 | # apt-get install krb5-user |
|---|
| 13 | |
|---|
| 14 | To show how little configuration is really needed, we will move the |
|---|
| 15 | auto-generated config file out of the way (which contains a load of junk |
|---|
| 16 | anyway) and create a new minimal one with just 4 lines: |
|---|
| 17 | |
|---|
| 18 | # mv /etc/krb5.conf /etc/krb5.conf.example |
|---|
| 19 | # editor /etc/krb5.conf |
|---|
| 20 | |
|---|
| 21 | [libdefaults] |
|---|
| 22 | default_realm = WS.NSRC.ORG |
|---|
| 23 | dns_lookup_realm = true |
|---|
| 24 | dns_lookup_kdc = true |
|---|
| 25 | |
|---|
| 26 | Now check that the ssh client program will try Kerberos authentication. |
|---|
| 27 | It's enabled by default in Ubuntu, but in other operating systems it might |
|---|
| 28 | not be. |
|---|
| 29 | |
|---|
| 30 | # editor /etc/ssh/ssh_config (on MacOSX it's /etc/ssh_config) |
|---|
| 31 | |
|---|
| 32 | ... |
|---|
| 33 | GSSAPIAuthentication yes # check this line present (near end) |
|---|
| 34 | GSSAPIKeyExchange yes # add this line too |
|---|
| 35 | ... |
|---|
| 36 | |
|---|
| 37 | Testing ssh client |
|---|
| 38 | ------------------ |
|---|
| 39 | |
|---|
| 40 | The class Kerberos setup has an account "testuser" which you can use. |
|---|
| 41 | |
|---|
| 42 | $ kinit testuser |
|---|
| 43 | ... enter password when prompted |
|---|
| 44 | (password is "nsrc2020" unless you've been told otherwise) |
|---|
| 45 | |
|---|
| 46 | Now you should now be able to login to servers in your Kerberos realm |
|---|
| 47 | without re-entering your password: |
|---|
| 48 | |
|---|
| 49 | $ ssh testuser@noc.ws.nsrg.org |
|---|
| 50 | -- logout, then login somewhere else |
|---|
| 51 | |
|---|
| 52 | $ ssh testuser@s1.ws.nsrc.org |
|---|
| 53 | -- logout |
|---|
| 54 | |
|---|
| 55 | Have a look at the tickets you've picked up: |
|---|
| 56 | |
|---|
| 57 | $ klist |
|---|
| 58 | |
|---|
| 59 | You should see your own TGT plus tickets for the servers you've connected |
|---|
| 60 | to. |
|---|
| 61 | |
|---|
| 62 | To get rid of them, use `kdestroy`; check that you can no longer login |
|---|
| 63 | (the server will give you a password prompt instead) |
|---|
| 64 | |
|---|
| 65 | |
|---|
| 66 | ----------------------------------------------------------------------- |
|---|
| 67 | |
|---|
| 68 | Reference material [not part of the exercise] |
|---|
| 69 | ================== |
|---|
| 70 | |
|---|
| 71 | We've actually enabled two different authentication mechanisms. |
|---|
| 72 | `GSSAPIAuthentication` is the standard one (gssapi-with-mic), and just |
|---|
| 73 | authenticates the user. `GSSAPIKeyExchange` is a new one (gssapi-keyex) |
|---|
| 74 | which also validates the authenticity of the host. It avoids the need |
|---|
| 75 | to accept host keys into your `known_hosts` file, because Kerberos already |
|---|
| 76 | provides mutual authentication. |
|---|
| 77 | |
|---|
| 78 | `GSSAPIKeyExchange` is available as a patch to ssh, and is included by |
|---|
| 79 | default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably |
|---|
| 80 | won't work when connecting to older Unix boxes or to BSD boxes, in |
|---|
| 81 | which case you'll fall back to gssapi-with-mic. |
|---|
| 82 | |
|---|
| 83 | More info at http://www.sxw.org.uk/computing/patches/openssh.html |
|---|
| 84 | |
|---|
| 85 | Enabling Kerberos in HTTP clients |
|---|
| 86 | --------------------------------- |
|---|
| 87 | |
|---|
| 88 | For curl, you must supply an empty username and password in option `-u` |
|---|
| 89 | |
|---|
| 90 | $ curl --negotiate -u: http://noc.ws.nsrc.org/secure/ |
|---|
| 91 | |
|---|
| 92 | For Firefox: |
|---|
| 93 | |
|---|
| 94 | * Go to `about:config` |
|---|
| 95 | * Filter on "negotiate" |
|---|
| 96 | * `network.negotiate-auth.trusted-uris ws.nsrc.org` |
|---|
| 97 | |
|---|
| 98 | For Google Chrome: apply the option when starting it up: |
|---|
| 99 | |
|---|
| 100 | /opt/google/chrome/google-chrome \ |
|---|
| 101 | --auth-server-whitelist=*.ws.nsrc.org |
|---|
| 102 | |
|---|
| 103 | Enabling Kerberos in LDAP client |
|---|
| 104 | -------------------------------- |
|---|
| 105 | |
|---|
| 106 | Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed. |
|---|
| 107 | |
|---|
| 108 | # apt-get install ldap-utils libsasl2-modules-gssapi-mit |
|---|
| 109 | |
|---|
| 110 | $ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \ |
|---|
| 111 | -b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)" |
|---|
| 112 | |
|---|