Fermilab Kerberos
KRB5

Fermilab has released it's own flavor of Kerberos. It is basically MIT's Kerberos with a few tweaks that were wanted here. The main improvement is that Fermilab's kerberos allows you to use a 'cryptocard' to authorize yourself.
The cryptocard allows you to use 'one time' passwords, and so you may authenticate yourself from a non-kerberized machine.
Fermilab's normal way of releasing products is via UPS/UPD. This has many nice features, but it was also felt that an rpm release would have many benefits as well.
Fermilab's 'Strong Authentication' web pages can be found here.

Fermilab's Kerberos RPM's

Although the actual files for Fermilab's kerberos didn't change for our release of Fermi Linux 7.3.1, the way that they were packaged. These changes will show with a (7.3.1) prefix.

krb5-fermi (i.e. krb5-fermi-1.7-71x.1.i386.rpm)
(7.3.1)krb5-libs-fermi (i.e. krb5-libs-fermi-1.7-73x.1.i386.rpm)
(7.3.1)krb5-workstation-fermi (i.e. krb5-workstation-fermi-1.7-73x.1.i386.rpm)
The binaries and man pages from the kerberos product, except /bin/login. These get installed in the same place as the product does, which is /usr/krb5. So if you installed an earlier product version and want a quick way to upgrade, just put this rpm in.
It doesn't do any configuration with inetd.conf, sshd_config, services, or krb5.conf (though it does install a default krb5.conf if you don't already have one)

krb5-fermi-login (i.e. krb5-fermi-login-1.7-71x1.i386.rpm)
This rpm replaces your /bin/login with the kerberized login. To get your old login back, just remove the rpm (rpm -e krb5-fermi-login)
This had to be a separate rpm because of one shortcoming login has dealing with X. Although it is a good idea to install this rpm, if you find that you cannot start X as a user, then remove this rpm.

krb5-fermi-config (i.e. krb5-fermi-config-1.6-71x.2.i386.rpm)
This does the configuration that you need to be fully kerberized. It edits your krb5.conf, services, and sshd_config. Depending on if you are running Fermi Linux 6.1.x or Fermi Linux 7.1.x, it will either edit your inetd.conf file, or your config files in xinetd.d. It also has a script for you to 'makehostkeys' for if this is your first kerberos install, but it must be done by hand, while everything else is done just by installing the rpm. All of the scripts are stored in /usr/krb5/config/ for if you want to re-do one or all of them.
I'll say it again incase you missed it. This rpm works on both Fermi Linux 7x as well as Fermi Linux 6.1.x.

The above rpm's are currently available at
ftp://linux.fnal.gov/linux/contrib/kerberos/61x/
ftp://linux.fnal.gov/linux/contrib/kerberos/71x/
ftp://linux.fnal.gov/linux/contrib/kerberos/73x/
Please note that there are separate rpms for Fermi Linux 6x, 7.1.1, and 7.3.1.

How Do The RPM's Differ From The Products?

There are only two differences between the UPS Kerberos product, and the Kerberos RPM's. They are the login program, and the way things are configured.

login
The login program has a serious bug in it, that has the potential to not allow people to start their X windows. Because of this I have made it an optional RPM. It will also eventually get replaced by PAM modules, another reason to leave it off. But it does do a good job at what it is supposed to do, which is authenticate users at the login prompt, with their kerberos passwords. Because of this, you should first use the rpm with the login program, and see if you have any problems starting X windows, if you don't, continue using the kerberized login.

configuration
The UPS product configuration uses a pearl script. For these RPM's I decided to go with bash scripts. Because of that there are a few differences, but for the most part I have tried to have all the scripts immitate what is done during the product install. There is one major exception, the makehostkeys script.
The UPS Product is designed to be installed interactively, while an RPM is designed to be installed without any interaction. But to get a systems host and ftp keys, a password must be typed in. So the makehostkeys is a script that is designed to be ran after everything else is installed. In the product when you set it up, you are asked for these passwords at the very first, and they are part of the basic install. Because of this difference, this basic step is often forgotten during an rpm install.

config files
There are two config files that currently differ from the UPD/UPS product.  I suspect that sometime they will match again, but for now they are different to be able to work with the pam modules.
/etc/krb.conf - changed to use the kerberose servers to authenticate
/etc/krb5.conf - added a section to tell the pam modules what to do

Quick Kerberizing of Fermi Linux and/or RedHat Linux

Fermi Linux 6.x or RedHat 6.x

  1. * get a host principal password  from here *
  2. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/DONOTEXPORT/ssh/ssh-current.rpm
  3. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/61x/krb5-fermi-current.rpm
  4. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/61x/krb5-fermi-config-current.rpm
  5. /usr/krb5/config/makehostkeys  * use password from step 1 *

NOTE: There has not been an easy way implemented to use kerberose with PAM in the 6.x enviroment. Thus your passwords that you use in your desktop enviroment (screensavers, graphical login's, etc..) will be the same as they were before.

Fermi Linux 7.1.1 or RedHat 7.1

  1. * get a host pricipal password  from here *
  2. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/DONOTEXPORT/ssh/ssh-current.rpm
  3. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/71x/krb5-fermi-current.rpm
  4. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/71x/krb5-fermi-config-current.rpm
  5. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/71x/pam_krb5-1.44-1.i386.rpm
  6. /usr/krb5/config/makehostkeys  * use password from step 1 *
  7. rpm -q afs-pam
    1. *if return is 'package afs-pam is not installed' skip to step 8*
    2. *else*
      1. *determine release and version from answer to step 7. Release is after the second dash, Version is after the third dash*
        (example: afs-pam-nonis-1   release=nonis version=1)
      2. /usr/sbin/uninstall-afs-pam <release> <version>
        (example: /usr/sbin/uninstall-afs-pam nonis 1 )
  8. /usr/sbin/authconfig  *enable Kerberos, on second screen.  leave everything else the way it is. *

NOTE: This will change it so that all of your passwords that you use in your desktop enviroment (screensavers, graphical login's, etc..) will be your kerberose password. If you want them to be the same as they were before, skip steps 7 and 8.

Fermi Linux 7.3.1

NOTE: Fermi Linux 7.3.1 comes kerberized out of the box with Fermi Kerberos. These steps are if you want someone to be able to log into your machine from another kerberized machine.
  1. * get a host principal password  from here *
  2. /usr/krb5/config/makehostkeys  * use password from step 1 *

RedHat 7.3 or 8.0

PRE-NOTE: Although RedHat comes with Kerberos, these steps are for installing Fermi's kerberos on it, as well as getting a kerberized OpenSSH. PRE-NOTE2:As of this writting, these kerberos and openssh rpms work with RedHat 8.1beta
  1. * get a host principal password  from here *
  2. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/73x/krb5-libs-fermi-current.rpm
  3. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/73x/krb5-workstation-fermi-current.rpm
  4. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/73x/krb5-fermi-config-current.rpm
  5. /usr/krb5/config/makehostkeys  * use password from step 1 *
  6. mkdir openssh
  7. cd openssh
  8. ncftpget ftp://linux.fnal.gov/linux/contrib/openssh/rh73/*current*
  9. rpm -Fvh *.rpm
  10. /usr/sbin/authconfig  *enable Kerberos, on second screen.  leave everything else the way it is. *

If you have any comments or questions please write to Troy Dawson who is the maintainer of these rpms and web page

Back to RPM's
Back Home
February 27, 2003