Exercise 1: Set up a kerberos client ==================================== A Kerberos client is easy to set up to work with existing Kerberos infrastructure. Setup ----- Install the Kerberos client packages: # apt-get install krb5-user To show how little configuration is really needed, we will move the auto-generated config file out of the way (which contains a load of junk anyway) and create a new minimal one with just 4 lines: # mv /etc/krb5.conf /etc/krb5.conf.example # editor /etc/krb5.conf [libdefaults] default_realm = WS.NSRC.ORG dns_lookup_realm = true dns_lookup_kdc = true Now check that the ssh client program will try Kerberos authentication. It's enabled by default in Ubuntu, but in other operating systems it might not be. # editor /etc/ssh/ssh_config (on MacOSX it's /etc/ssh_config) ... GSSAPIAuthentication yes # check this line present (near end) GSSAPIKeyExchange yes # add this line too ... Testing ssh client ------------------ The class Kerberos setup has an account "testuser" which you can use. $ kinit testuser ... enter password when prompted (password is "nsrc2020" unless you've been told otherwise) Now you should now be able to login to servers in your Kerberos realm without re-entering your password: $ ssh testuser@noc.ws.nsrg.org -- logout, then login somewhere else $ ssh testuser@s1.ws.nsrc.org -- logout Have a look at the tickets you've picked up: $ klist You should see your own TGT plus tickets for the servers you've connected to. To get rid of them, use `kdestroy`; check that you can no longer login (the server will give you a password prompt instead) ----------------------------------------------------------------------- Reference material [not part of the exercise] ================== We've actually enabled two different authentication mechanisms. `GSSAPIAuthentication` is the standard one (gssapi-with-mic), and just authenticates the user. `GSSAPIKeyExchange` is a new one (gssapi-keyex) which also validates the authenticity of the host. It avoids the need to accept host keys into your `known_hosts` file, because Kerberos already provides mutual authentication. `GSSAPIKeyExchange` is available as a patch to ssh, and is included by default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably won't work when connecting to older Unix boxes or to BSD boxes, in which case you'll fall back to gssapi-with-mic. More info at http://www.sxw.org.uk/computing/patches/openssh.html Enabling Kerberos in HTTP clients --------------------------------- For curl, you must supply an empty username and password in option `-u` $ curl --negotiate -u: http://noc.ws.nsrc.org/secure/ For Firefox: * Go to `about:config` * Filter on "negotiate" * `network.negotiate-auth.trusted-uris ws.nsrc.org` For Google Chrome: apply the option when starting it up: /opt/google/chrome/google-chrome \ --auth-server-whitelist=*.ws.nsrc.org Enabling Kerberos in LDAP client -------------------------------- Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed. # apt-get install ldap-utils libsasl2-modules-gssapi-mit $ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \ -b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)"