Kerberos, Linux, and Fermilab

Updated September 1, 2007
Soon to be moved to https://fermilinux.fnal.gov/documentation/security/

Introduction
Fermilab's Kerberos RPMS
Fermilab Kerberos Config Files
Setup (Basic Steps)
Setup (Fermi Linux)
Setup (Scientific Linux 3.0.x), (Scientific Linux 4.x)
Setup Scientific Linux Cern 4.x
Setup (Generic Older Linux Distribution)
Setup (Newer Linux Distribution) - SL5, RHEL5, Fedora 8+, Ubuntu 8+

Introduction

Fermilab tries to use kerberos for all authentication whenever possible. Fermilab's policies on kerberos can be found at Fermilab's 'Strong Authentication' web pages.

In pursuit of all authentication being kerberized Fermilab has released its own flavor of Kerberos. It is basically MIT's Kerberos with a few tweaks that were wanted here. The main improvement is that Fermilab's kerberos allows you to use a 'cryptocard' to authorize yourself.
The cryptocard allows you to use 'one time' passwords, and so you may authenticate yourself from a non-kerberized machine.

Fermilab's kerberos is compatible with MIT's kerberos. It is not necessary for a linux machine to use Fermilab's kerberos to log into the Fermilab realm.
Fermilab's kerberos can also be installed alongside MIT's kerberos. In the various Fermi Linux distributions, we install both MIT's kerberos and Fermilab's kerberos. They are in two different directories (/usr/kerberos and /usr/krb5). We simply put Fermilab's kerberos in your path.

NEW
In 2007 we managed to move the cryptocard functionality to pam_krb5. This allowed us to not have to run a specialized version of kerberos and openssh.
Scientific Linux Fermi 5.0 was our first distribution that only had configuration changes for kerberos, and not the Fermi Kerberos programs.

Fermilab's Kerberos RPM's

KERBEROS
krb5-libs-fermi
krb5-workstation-fermi
The binaries and man pages from the kerberos product. These get installed in /usr/krb5.
It doesn't do any configuration. But krb5-workstation-fermi does put /usr/krb5/bin in your path.

krb5-fermi-krb5.conf
This rpm gives you are krb5.conf file setup to work with the FNAL.GOV kerberos realm. If you already have a krb5.conf, it saves the old one off.

krb5-fermi-config
This does the configuration that you need to be fully kerberized. It edits your krb5.conf, services, and sshd_config. It will also edit your config files in xinetd.d.
Each of these configurations are a scripts that is stored in /usr/krb5/config/ for if you want to re-do one or all of them.
It also has a script called 'makehostkeys' This script is used to create your host or ftp principle. This script must be run by hand after you get a host principle password by filling out the proper form.

The above rpm's are available at
ftp://linux.fnal.gov/linux/contrib/kerberos/
You will need to go into the appropriate directory for your linux release and get the rpm's.
The rpm's that end in current.rpm are links to the latest stable releases of the rpm's. At times there might be several versions of some of these rpm's. When you don't know which one to get, get the current.rpm.

OPENSSH NEW
Fermilab used to have to built it's own version of openssh in order to use the cryptocard function. In 2007, when this functionality was moved to the pam module pam_krb5, we were able to update to use unmodified versions of openssh. But there were other problems.
Older patched versions of openssh (versions 3.8 and older) used an authentication protocal called gssapi to do kerberos authentication. Newer versions of openssh (versions 3.9 and newer) used a similar protocal, it is called gssapi-with-mic. The problem is that gssapi-with-mic was not compatible with gssapi. So, a new version of openssh could not do kerberos authentication with an old version of openssh, and vice versa.
In August 2007 Fermilab updated all supported versions of Fermi Linux to it's modified version of openssh. This modified version was the openssh from RedHat Enterprise Linux 4, with a patch that allowed it to do both gssapi and gssapi-with-mic, and thus work with both the older versions of openssh, and the newer versions.
Because Fermilab is now running a newer version of openssh, people who are running newer versions of openssh do not have to change their version of openssh to be able to log into Fermilab.
If you want our patched version of openssh, you can get it at
ftp://linux.fnal.gov/linux/contrib/openssh/lts30x/
ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
Note that these versions have their configuration files changed so that the openssh server only allows kerberos authentication, and will not do passwords. If you want a version of this patched openssh that has the standard configurations as they come from RedHat, you can get them at
ftp://linux.fnal.gov/linux/contrib/openssh/sl30x/
ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/

Fermilab's Kerberos Config Files

The kerberos 5 config file on RedHat based machines is at /etc/krb5.conf
Here is the official Fermilab krb5.conf file

The kerberized openssh config file on RedHat based machines is at /etc/ssh/sshd_config
kerberized sshd_config (before openafs 3.9)
old kerberized sshd_config (before openafs 3.9)

Setup - Basic Steps

There are two ways you can have kerberos configured. You can have your machine configured to be Outbound Only, or you can configure it to be both Outbound and Inbound.
If you are only going to be logging into other machines, and noone is supposed to log into your machine over the network, this is considered an Outbound Only setup. This is the common setup of laptop's, because most people expect their laptops to travel, and their IP address to change all the time, and basically noone should be logging into them.
If you plan on people logging into your machine over the network using kerberos, then you need to follow the sets for Outbound and Inbound setup. This is usually for machines that are servers, or desktops that people log into.

Outbound Only

  1. Get kerberos on your machine.
    Most modern linux distributions have kerberos, and most all of them work with Fermi's kerberos. You can use MIT's kerberos, Hemdal's kerberos, the kerberos that came with your distribution. Most any of them will work.
    Just remember that while all of them work together ... not all of them have the same command line arguments.
  2. Get kerberized openssh, that uses gssapi or gssapi-with-mic protocol, on your machine
    Most modern linux distributions have openssh 3.9 and above. openssh 3.9 and above has gssapi-with-mic built into it and it will work=
    If your version of linux has an older version of openssh, it most likely does not use gssapi. We have been collecting various versions of openssh that have the gssapi patch's in our contrib area. You can check and see if your distribution has a version there. It is at
    ftp://linux.fnal.gov/linux/contrib/openssh/
  3. Put the Fermi settings in your krb5.conf.
    You can do this by installing one of the config rpm's listed above, or using one of the above config files. Or if you are bound to several kerberos realms, you can edit your krb5.conf and just put the important stuff from our config files, into your config files.
    The default area for a krb5.conf file is /etc/krb5.conf

Outbound and Inbound

  1. Get kerberos on your machine.
    Most modern linux distributions have kerberos, and most all of them work with Fermi's kerberos. You can use MIT's kerberos, Hemdal's kerberos, the kerberos that came with your distribution. Most any of them will work.
    Just remember that while all of them work together ... not all of them have the same command line arguments.
  2. Get kerberized openssh, that uses gssapi or gssapi-with-mic protocol, on your machine
    Most modern linux distributions have openssh 3.9 and above. openssh 3.9 and above has gssapi-with-mic built into it and it will work=
    If your version of linux has an older version of openssh, it most likely does not use gssapi. We have been collecting various versions of openssh that have the gssapi patch's in our contrib area. You can check and see if your distribution has a version there. It is at
    ftp://linux.fnal.gov/linux/contrib/openssh/
  3. Put the Fermi settings in your krb5.conf.
    You can do this by installing one of the config rpm's listed above, or using one of the above config files. Or if you are bound to several kerberos realms, you can edit your krb5.conf and just put the important stuff from our config files, into your config files.
    The default area for a krb5.conf file is /etc/krb5.conf
  4. Kerberize your openssh deamon config file.
    The easiest way is to just replace your sshd_config file with the one shown above.
    The default area for a sshd_config file is /etc/ssh/sshd_config
  5. Get a kerberos host principle.
    Get a host principal password  from here.
    Run the makehostkeys script to make your host principle.

Setup - Fermi Linux

Scientific Linux Fermi 5.x, 4.x, and 3.0.x (LTS 3.0.x)

Outbound Only
Nothing. Scientific Linux Fermi comes kerberized out of the box with kerberos already installed and properly configured.

Outbound and Inbound

  1. Get a host principal password  from here
  2. /usr/krb5/config/makehostkeys   ( use password from previous step )
  3. Get the openssh server rpm if it isn't already installed
    yum install openssh-server
  4. If you want incomming users to be able to use their cryptocard to get into the machine
    Change the setting in /etc/ssh/sshd_config from "UsePam=no" to "UsePam=yes" and then restart your ssh deamon
    The easiest way to do this is to install the zz_sshd_pam rpm
    yum install zz_sshd_pam
    service sshd restart

Setup - Scientific Linux

Scientific Linux 3.0.x and RHEL 3

Outbound Only

  1. Optional: Install Fermilab's kerberos
    This is optional because RedHat's kerberos works just fine.
    I have found that Fermilab's kerberos works better behind NAT's than RedHat's default kerberos.
    You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on the machine with no side affects.
    rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-libs-fermi-current.rpm
    rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-workstation-fermi-current.rpm
  2. Configure your krb5.conf in either of the following ways
  3. Install a kerberized openssh that does gssapi authentication
    1. mkdir openssh
    2. cd openssh
    3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl30x/
      cd to your appropriate arch, usually 'cd i386'
      mget *.rpm
      quit
    4. rpm -Fvh openssh*.rpm

Outbound and Inbound
Note: Inbound kerberos connections can be handled with RedHat's kerberos. The only difference is that you will not have Cryptocard support. If you want Cryptocard support, or you just want your machine to be like a SL-Fermi machine, do the instructions that start with Cryptocard:.

  1. Cryptocard: Install Fermilab's kerberos
    You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on the machine with no side affects.
    rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-libs-fermi-current.rpm
    rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-workstation-fermi-current.rpm
  2. Configure your krb5.conf in either of the following ways
  3. Install a kerberized openssh that does gssapi authentication
    1. mkdir openssh
    2. cd openssh
    3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl30x/
      cd to your appropriate arch, usually 'cd i386'
      mget *.rpm
      quit
    4. rpm -Fvh openssh*.rpm

    OR
      Cryptocard:
    1. mkdir openssh
    2. cd openssh
    3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts30x/
      mget *.rpm
      quit
    4. rpm -Fvh openssh*.rpm
    5. edit /etc/yum.d/yum.cron.excludes
      add openssh* to the end of the line
    6. edit /etc/yum.conf
      add exclude=openssh* up in the [main] section
  4. Get a host principal password  from here
  5. This is the one step, where installing Fermilab's kerberos makes things easier.
    Cryptocard:/usr/krb5/config/makehostkeys   ( use password from previous step )

    6. OR
    kadmin -r FNAL.GOV -p host/{full.host.name}@FNAL.GOV -w {password} -q "ktadd host/{full.host.name}@FNAL.GOV"
    Where {full.host.name} is the full name for the computer. Basically what you put down on the form in the previous step.
    And {password} is the password sent to you in the previous step.

Scientific Linux 4.x and RHEL 4

Outbound Only

  1. Optional: Install Fermilab's kerberos
    This is optional because RedHat's kerberos works just fine.
    I have found that Fermilab's kerberos works better behind NAT's than RedHat's default kerberos.
    You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on the machine with no side affects.
    rpm -Uvh     ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-libs-fermi-current.rpm
    rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-workstation-fermi-current.rpm
  2. Configure your krb5.conf in either of the following ways
  3. Install a kerberized openssh that does gssapi authentication
    1. mkdir openssh
    2. cd openssh
    3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
      cd to your appropriate arch, usually 'cd i386'
      mget *.rpm
      quit
    4. rpm -Fvh openssh*.rpm

Outbound and Inbound
Note: Inbound kerberos connections can be handled with RedHat's kerberos. The only difference is that you will not have Cryptocard support. If you want Cryptocard support, or you just want your machine to be like a SL-Fermi machine, do the instructions that start with Cryptocard:.

  1. Cryptocard: Install Fermilab's kerberos
    You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on the machine with no side affects.
    rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-libs-fermi-current.rpm
    rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-workstation-fermi-current.rpm
  2. Configure your krb5.conf in either of the following ways
  3. Install a kerberized openssh that does gssapi authentication
    1. mkdir openssh
    2. cd openssh
    3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
      cd to your appropriate arch, usually 'cd i386'
      mget *.rpm
      quit
    4. rpm -Fvh openssh*.rpm

    OR
      Cryptocard:
    1. mkdir openssh
    2. cd openssh
    3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
      mget *.rpm
      quit
    4. rpm -Fvh openssh*.rpm
    5. edit /etc/yum.d/yum.cron.excludes
      add openssh* to the end of the line
    6. edit /etc/yum.conf
      add exclude=openssh* up in the [main] section
  4. Get a host principal password  from here
  5. This is the one step, where installing Fermilab's kerberos makes things easier.
    Cryptocard:/usr/krb5/config/makehostkeys   ( use password from previous step )

    6. OR
    kadmin -r FNAL.GOV -p host/{full.host.name}@FNAL.GOV -w {password} -q "ktadd host/{full.host.name}@FNAL.GOV"
    Where {full.host.name} is the full name for the computer. Basically what you put down on the form in the previous step.
    And {password} is the password sent to you in the previous step.

Scientific Linux Cern 4.x

SLC 4.x comes with openssh-4.3p2-4.cern, which is kerberized and compatible with Fermilab's openssh. It also comes with a krb5.conf that already has the proper FNAL.GOV realm settings.
So to get a fermilab kerberos ticket all a user has to do is
kinit {username}@FNAL.GOV
And to ssh into a fermi kerberized machine all they have to do is
ssh -2 {host.fnal.gov}

If for some reason they do not want to have to add those extra options (let's say they are staying at Fermilab for a month or so), they would just have to change the line in krb5.conf from
default_realm = CERN.CH
to
default_realm = FNAL.GOV
And in your $HOME/.ssh/config file (or /etc/ssh/ssh_config if you want it global) 

Host *.fnal.gov
  protocol = 2

Setup - Generic Linux

Fedora Core 2

Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.
  1. become root, and do all the following as root
  2. yum install krb5-workstation
  3. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/fedora2/krb5-fermi-krb5.conf-current.rpm
  4. mkdir openssh
  5. cd openssh
  6. lftp ftp://linux.fnal.gov/linux/contrib/openssh/fedora2/
    mget *.rpm
    quit
  7. rpm -Fvh openssh*.rpm

Fedora Core 3

Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.
  1. become root, and do all the following as root
  2. yum install krb5-workstation
  3. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/fedora3/krb5-fermi-krb5.conf-current.rpm
  4. mkdir openssh
  5. cd openssh
  6. lftp ftp://linux.fnal.gov/linux/contrib/openssh/fedora3/
    mget *.rpm
    quit
  7. rpm -Fvh openssh*.rpm

Fedora Core 4

Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.
  1. become root, and do all the following as root
  2. yum install krb5-workstation
  3. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/fedora4/krb5-fermi-krb5.conf-current.rpm
  4. mkdir openssh
  5. cd openssh
  6. lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
    mget *.rpm
    quit
  7. rpm -e --nodeps openssh openssh-clients openssh-server openssh-askpass openssh-askpass-gnome
  8. rpm -Uvh openssh*.rpm
    Note: You might not be able to install openssh-askpass or openssh-askpass-gnome, depending on what you already had installed, if that is the case, just delete them and try again.

Mandrake 2006.0

Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.
  1. become root, and do all the following as root
  2. mkdir kerb
  3. cd kerb
  4. lftp ftp://linux.fnal.gov/linux/contrib/kerberos/sl4x
    mget *current*
    quit
  5. rm -f krb5-fermi-config-current.rpm
  6. rpm -Uvh krb5*.rpm
  7. cd ..
  8. mkdir openssh
  9. cd openssh
  10. lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
    mget *.rpm
    quit
  11. rm -f openssh-askpass*
  12. rpm -e --nodeps openssh openssh-clients openssh-server
  13. rpm -Uvh openssh*.rpm

SuSE 9.2

Sent in by Juerg Beringer
Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.


If you have any comments or questions please write to Troy Dawson who is the maintainer of this page.

The old version of this page is located here.

Back to Fermi Linux Home
March 12, 2007