Kerberos, Linux, and Fermilab
Updated September 1, 2007
Soon to be moved to
https://fermilinux.fnal.gov/documentation/security/
Introduction
Fermilab's Kerberos RPMS
Fermilab Kerberos Config Files
Setup (Basic Steps)
Setup (Fermi Linux)
Setup (Scientific Linux 3.0.x), (Scientific Linux 4.x)
Setup Scientific Linux Cern 4.x
Setup (Generic Older Linux Distribution)
Setup (Newer Linux Distribution) - SL5, RHEL5, Fedora 8+, Ubuntu 8+
Introduction
Fermilab tries to use kerberos for all authentication whenever possible. Fermilab's
policies on kerberos can be found at Fermilab's 'Strong Authentication'
web pages.
In pursuit of all authentication being kerberized Fermilab has released its own
flavor of Kerberos. It is basically MIT's
Kerberos with a few tweaks that were wanted here. The main improvement is that
Fermilab's kerberos allows you to use a 'cryptocard' to authorize yourself.
The cryptocard allows you to use 'one time' passwords, and so you may
authenticate yourself from a non-kerberized machine.
Fermilab's kerberos is compatible with MIT's kerberos. It is not
necessary for a linux machine to use Fermilab's kerberos to log into the Fermilab realm.
Fermilab's kerberos can also be installed alongside MIT's kerberos. In the various
Fermi Linux distributions, we install both MIT's kerberos and Fermilab's kerberos. They
are in two different directories (/usr/kerberos and /usr/krb5). We simply put Fermilab's
kerberos in your path.
NEW
In 2007 we managed to move the cryptocard functionality to pam_krb5. This allowed us to
not have to run a specialized version of kerberos and openssh.
Scientific Linux Fermi 5.0 was our first distribution that only had configuration changes for
kerberos, and not the Fermi Kerberos programs.
Fermilab's Kerberos RPM's
KERBEROS
krb5-libs-fermi
krb5-workstation-fermi
The binaries and man pages from the kerberos product.
These get installed in /usr/krb5.
It doesn't do any configuration. But krb5-workstation-fermi
does put /usr/krb5/bin in your path.
krb5-fermi-krb5.conf
This rpm gives you are krb5.conf file setup to work with the FNAL.GOV
kerberos realm. If you already have a krb5.conf, it saves the old one off.
krb5-fermi-config
This does the configuration that you need to be fully kerberized. It edits
your krb5.conf, services, and sshd_config. It will also edit your
config files in xinetd.d.
Each of these configurations are a scripts that is stored in /usr/krb5/config/ for if you want to
re-do one or all of them.
It also has a script called 'makehostkeys' This script is used to create your
host or ftp principle. This script must be run by hand after you get a host principle
password by filling out
the proper form.
The above rpm's are available at
ftp://linux.fnal.gov/linux/contrib/kerberos/
You will need to go into the appropriate directory for your linux release and get the rpm's.
The rpm's that end in current.rpm are links to the latest stable releases of the rpm's. At times there might
be several versions of some of these rpm's. When you don't know which one to get, get the current.rpm.
OPENSSH
NEW
Fermilab used to have to built it's own version of openssh in order to use the cryptocard function. In 2007,
when this functionality was moved to the pam module pam_krb5, we were able to update to use unmodified versions of openssh.
But there were other problems.
Older patched versions of openssh (versions 3.8 and older) used an authentication protocal called gssapi to do kerberos
authentication. Newer versions of openssh (versions 3.9 and newer) used a similar protocal, it is called gssapi-with-mic.
The problem is that gssapi-with-mic was not compatible with gssapi. So, a new version of openssh could not do kerberos
authentication with an old version of openssh, and vice versa.
In August 2007 Fermilab updated all supported versions of Fermi Linux to it's modified version of openssh. This modified
version was the openssh from RedHat Enterprise Linux 4, with a patch that allowed it to do both gssapi and gssapi-with-mic, and
thus work with both the older versions of openssh, and the newer versions.
Because Fermilab is now running a newer version of openssh, people who are running newer versions of openssh do not have to
change their version of openssh to be able to log into Fermilab.
If you want our patched version of openssh, you can get it at
ftp://linux.fnal.gov/linux/contrib/openssh/lts30x/
ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
Note that these versions have their configuration files changed so that the openssh server only allows kerberos
authentication, and will not do passwords. If you want a version of this patched openssh that has the standard configurations
as they come from RedHat, you can get them at
ftp://linux.fnal.gov/linux/contrib/openssh/sl30x/
ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
Fermilab's Kerberos Config Files
The kerberos 5 config file on RedHat based machines is at /etc/krb5.conf
Here is the official Fermilab krb5.conf file
The kerberized openssh config file on RedHat based machines is at /etc/ssh/sshd_config
kerberized sshd_config (before openafs 3.9)
old kerberized sshd_config (before openafs 3.9)
Setup - Basic Steps
There are two ways you can have kerberos configured. You can have your machine configured to be Outbound Only,
or you can configure it to be both Outbound and Inbound.
If you are only going to be logging into other machines, and noone is supposed to log into your machine over the network, this
is considered an Outbound Only setup. This is the common setup of laptop's, because most people expect their laptops to travel, and
their IP address to change all the time, and basically noone should be logging into them.
If you plan on people logging into your machine over the network using kerberos, then you need to follow the sets for Outbound
and Inbound setup. This is usually for machines that are servers, or desktops that people log into.
Outbound Only
- Get kerberos on your machine.
Most modern linux distributions have kerberos, and most all of them work with Fermi's kerberos. You can use MIT's
kerberos, Hemdal's kerberos, the kerberos that came with your distribution. Most any of them will work.
Just remember that while all of them work together ... not all of them have the same command line arguments.
- Get kerberized openssh, that uses gssapi or gssapi-with-mic protocol, on your machine
Most modern linux distributions have openssh 3.9 and above. openssh 3.9 and above has gssapi-with-mic built into
it and it will work=
If your version of linux has an older version of openssh, it most likely does not use gssapi. We have been collecting
various versions of openssh that have the gssapi patch's in our contrib area. You can check
and see if your distribution has a version there. It is at
ftp://linux.fnal.gov/linux/contrib/openssh/
- Put the Fermi settings in your krb5.conf.
You can do this by installing one of the config rpm's listed above, or using one of the above config files. Or if
you are bound to several kerberos realms, you can edit your krb5.conf and just put the important stuff from our config
files, into your config files.
The default area for a krb5.conf file is /etc/krb5.conf
Outbound and Inbound
- Get kerberos on your machine.
Most modern linux distributions have kerberos, and most all of them work with Fermi's kerberos. You can use MIT's
kerberos, Hemdal's kerberos, the kerberos that came with your distribution. Most any of them will work.
Just remember that while all of them work together ... not all of them have the same command line arguments.
- Get kerberized openssh, that uses gssapi or gssapi-with-mic protocol, on your machine
Most modern linux distributions have openssh 3.9 and above. openssh 3.9 and above has gssapi-with-mic built into
it and it will work=
If your version of linux has an older version of openssh, it most likely does not use gssapi. We have been collecting
various versions of openssh that have the gssapi patch's in our contrib area. You can check
and see if your distribution has a version there. It is at
ftp://linux.fnal.gov/linux/contrib/openssh/
- Put the Fermi settings in your krb5.conf.
You can do this by installing one of the config rpm's listed above, or using one of the above config files. Or if
you are bound to several kerberos realms, you can edit your krb5.conf and just put the important stuff from our config
files, into your config files.
The default area for a krb5.conf file is /etc/krb5.conf
- Kerberize your openssh deamon config file.
The easiest way is to just replace your sshd_config file with the one shown above.
The default area for a sshd_config file is /etc/ssh/sshd_config
- Get a kerberos host principle.
Get a host principal password from here.
Run the makehostkeys script to make your host principle.
Setup - Fermi Linux
Scientific Linux Fermi 5.x, 4.x, and 3.0.x (LTS 3.0.x)
Outbound Only
Nothing. Scientific Linux Fermi comes kerberized out of the box with kerberos already installed and properly configured.
Outbound and Inbound
- Get a host principal password from here
- /usr/krb5/config/makehostkeys ( use password from previous step )
- Get the openssh server rpm if it isn't already installed
yum install openssh-server
- If you want incomming users to be able to use their cryptocard to get into the machine
Change the setting in /etc/ssh/sshd_config from "UsePam=no" to "UsePam=yes" and then restart your ssh deamon
The easiest way to do this is to install the zz_sshd_pam rpm
yum install zz_sshd_pam
service sshd restart
Setup - Scientific Linux
Scientific Linux 3.0.x and RHEL 3
Outbound Only
- Optional: Install Fermilab's kerberos
This is optional because RedHat's kerberos works just fine.
I have found that Fermilab's kerberos works better behind
NAT's than RedHat's default kerberos.
You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on
the machine with no side affects.
rpm -Uvh
ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-libs-fermi-current.rpm
rpm -Uvh
ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-workstation-fermi-current.rpm
- Configure your krb5.conf in either of the following ways
- Install a kerberized openssh that does gssapi authentication
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl30x/
cd to your appropriate arch, usually 'cd i386'
mget *.rpm
quit
- rpm -Fvh openssh*.rpm
Outbound and Inbound
Note: Inbound kerberos connections can be handled with RedHat's kerberos. The only difference is that you will not have
Cryptocard support. If you want Cryptocard support, or you just want your machine to be like a SL-Fermi machine, do the
instructions that start with Cryptocard:.
- Cryptocard: Install Fermilab's kerberos
You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on
the machine with no side affects.
rpm -Uvh
ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-libs-fermi-current.rpm
rpm -Uvh
ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-workstation-fermi-current.rpm
- Configure your krb5.conf in either of the following ways
- Install a kerberized openssh that does gssapi authentication
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl30x/
cd to your appropriate arch, usually 'cd i386'
mget *.rpm
quit
- rpm -Fvh openssh*.rpm
OR
Cryptocard:
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts30x/
mget *.rpm
quit
- rpm -Fvh openssh*.rpm
- edit /etc/yum.d/yum.cron.excludes
add openssh* to the end of the line
- edit /etc/yum.conf
add exclude=openssh* up in the [main] section
- Get a host principal password from here
- This is the one step, where installing Fermilab's kerberos makes things easier.
Cryptocard:/usr/krb5/config/makehostkeys ( use password from previous step )
OR
kadmin -r FNAL.GOV -p host/{full.host.name}@FNAL.GOV -w {password} -q "ktadd host/{full.host.name}@FNAL.GOV"
Where {full.host.name} is the full name for the computer. Basically what you put down on the form in the previous step.
And {password} is the password sent to you in the previous step.
Scientific Linux 4.x and RHEL 4
Outbound Only
- Optional: Install Fermilab's kerberos
This is optional because RedHat's kerberos works just fine.
I have found that Fermilab's kerberos works better behind
NAT's than RedHat's default kerberos.
You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on
the machine with no side affects.
rpm -Uvh
ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-libs-fermi-current.rpm
rpm -Uvh
ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-workstation-fermi-current.rpm
- Configure your krb5.conf in either of the following ways
- Install a kerberized openssh that does gssapi authentication
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
cd to your appropriate arch, usually 'cd i386'
mget *.rpm
quit
- rpm -Fvh openssh*.rpm
Outbound and Inbound
Note: Inbound kerberos connections can be handled with RedHat's kerberos. The only difference is that you will not have
Cryptocard support. If you want Cryptocard support, or you just want your machine to be like a SL-Fermi machine, do the
instructions that start with Cryptocard:.
- Cryptocard: Install Fermilab's kerberos
You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on
the machine with no side affects.
rpm -Uvh
ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-libs-fermi-current.rpm
rpm -Uvh
ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-workstation-fermi-current.rpm
- Configure your krb5.conf in either of the following ways
- Install a kerberized openssh that does gssapi authentication
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
cd to your appropriate arch, usually 'cd i386'
mget *.rpm
quit
- rpm -Fvh openssh*.rpm
OR
Cryptocard:
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
mget *.rpm
quit
- rpm -Fvh openssh*.rpm
- edit /etc/yum.d/yum.cron.excludes
add openssh* to the end of the line
- edit /etc/yum.conf
add exclude=openssh* up in the [main] section
- Get a host principal password from here
- This is the one step, where installing Fermilab's kerberos makes things easier.
Cryptocard:/usr/krb5/config/makehostkeys ( use password from previous step )
OR
kadmin -r FNAL.GOV -p host/{full.host.name}@FNAL.GOV -w {password} -q "ktadd host/{full.host.name}@FNAL.GOV"
Where {full.host.name} is the full name for the computer. Basically what you put down on the form in the previous step.
And {password} is the password sent to you in the previous step.
Scientific Linux Cern 4.x
SLC 4.x comes with openssh-4.3p2-4.cern, which is kerberized and compatible with Fermilab's openssh.
It also comes with a krb5.conf that already has the proper FNAL.GOV realm settings.
So to get a fermilab kerberos ticket all a user has to do is
kinit {username}@FNAL.GOV
And to ssh into a fermi kerberized machine all they have to do is
ssh -2 {host.fnal.gov}
If for some reason they do not want to have to add those extra options (let's say they are staying
at Fermilab for a month or so), they would just have to change the line in krb5.conf from
default_realm = CERN.CH
to
default_realm = FNAL.GOV
And in your $HOME/.ssh/config file (or /etc/ssh/ssh_config if you want it global)
Host *.fnal.gov
protocol = 2
Setup - Generic Linux
Fedora Core 2
Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.
- become root, and do all the following as root
- yum install krb5-workstation
- rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/fedora2/krb5-fermi-krb5.conf-current.rpm
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/fedora2/
mget *.rpm
quit
- rpm -Fvh openssh*.rpm
Fedora Core 3
Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.
- become root, and do all the following as root
- yum install krb5-workstation
- rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/fedora3/krb5-fermi-krb5.conf-current.rpm
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/fedora3/
mget *.rpm
quit
- rpm -Fvh openssh*.rpm
Fedora Core 4
Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.
- become root, and do all the following as root
- yum install krb5-workstation
- rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/fedora4/krb5-fermi-krb5.conf-current.rpm
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
mget *.rpm
quit
- rpm -e --nodeps openssh openssh-clients openssh-server openssh-askpass
openssh-askpass-gnome
- rpm -Uvh openssh*.rpm
Note: You might not be able to install openssh-askpass or
openssh-askpass-gnome, depending on what you already had installed, if that is the
case, just delete them and try again.
Mandrake 2006.0
Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.
- become root, and do all the following as root
- mkdir kerb
- cd kerb
- lftp ftp://linux.fnal.gov/linux/contrib/kerberos/sl4x
mget *current*
quit
- rm -f krb5-fermi-config-current.rpm
- rpm -Uvh krb5*.rpm
- cd ..
- mkdir openssh
- cd openssh
- lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
mget *.rpm
quit
- rm -f openssh-askpass*
- rpm -e --nodeps openssh openssh-clients openssh-server
- rpm -Uvh openssh*.rpm
SuSE 9.2
Sent in by Juerg Beringer
Outbound only: So that you can log into fermilab and its computers, but you don't expect anyone to log into your machine.
The SuSE 9.2 DVD comes with Heimdal Kerberos (0.6.2-8) and
OpenSSH (3.9p1-3). The former works fine for Fermilab, but I couldn't
get the latter to work (OpenSHH 3.9 uses a newer version of GSSAPI that is not backwards compatible).
I downloaded and installed your rpms (using --force --nodeps)
openssh-askpass-3.5p1f11-4rh7x
openssh-clients-3.5p1f11-4rh7x
openssh-server-3.5p1f11-4rh7x
openssh-3.5p1f11-4rh7x
Because the RH and SuSE startup scripts are different and in different
locations, I kept the original SuSE sshd startup script (/etc/init.d/sshd)
and set YaST to ignore any conflicts.
With this everything seems to work fine.
If you have any comments or questions please write to
Troy Dawson who is the maintainer of
this page.
The old version of this page is
located here.
Back to Fermi Linux Home
March 12, 2007