Fermilab has released it's own flavor of Kerberos. It is basically MIT's
Kerberos with a few tweaks that were wanted here. The main improvement is that
Fermilab's kerberos allows you to use a 'cryptocard' to authorize yourself.
The cryptocard allows you to use 'one time' passwords, and so you may
authenticate yourself from a non-kerberized machine.
Fermilab's normal way of releasing products is via UPS/UPD. This has
many nice features, but it was also felt that an rpm release would have many
benefits as well.
Fermilab's 'Strong Authentication'
web pages can be found here.
krb5-fermi (i.e. krb5-fermi-1.7-71x.1.i386.rpm)
(7.3.1)krb5-libs-fermi (i.e. krb5-libs-fermi-1.7-73x.1.i386.rpm)
(7.3.1)krb5-workstation-fermi (i.e. krb5-workstation-fermi-1.7-73x.1.i386.rpm)
The binaries and man pages from the kerberos product, except /bin/login.
These get installed in the same place as the product does, which is /usr/krb5.
So if you installed an earlier product version and want a
quick way to upgrade, just put this rpm in.
It doesn't do any configuration
with inetd.conf, sshd_config, services, or krb5.conf (though it does install a
default krb5.conf if you don't already have one)
krb5-fermi-login (i.e. krb5-fermi-login-1.7-71x1.i386.rpm)
This rpm replaces your /bin/login with the kerberized login. To
get your old login back, just remove the rpm (rpm -e krb5-fermi-login)
This had to be a separate rpm because of one shortcoming login has dealing with X.
Although it is a good idea to install this rpm, if you find that you cannot start X
as a user, then remove this rpm.
krb5-fermi-config (i.e. krb5-fermi-config-1.6-71x.2.i386.rpm)
This does the configuration that you need to be fully kerberized. It edits
your krb5.conf, services, and sshd_config. Depending on if you are running Fermi Linux
6.1.x or Fermi Linux 7.1.x, it will either edit your inetd.conf file, or your
config files in xinetd.d. It also has a script
for you to 'makehostkeys' for if this is your first kerberos install, but it
must be done by hand, while everything else is done just by installing the
rpm. All of the scripts are stored in /usr/krb5/config/ for if you want to
re-do one or all of them.
I'll say it again incase you missed it. This rpm works on both Fermi Linux 7x as well as Fermi Linux 6.1.x.
The above rpm's are currently available at
ftp://linux.fnal.gov/linux/contrib/kerberos/61x/
ftp://linux.fnal.gov/linux/contrib/kerberos/71x/
ftp://linux.fnal.gov/linux/contrib/kerberos/73x/
Please note that there are separate rpms for Fermi Linux 6x, 7.1.1, and 7.3.1.
There are only two differences between the UPS Kerberos product, and the Kerberos RPM's. They are the login program, and the way things are configured.
login
The login program has a serious bug in it, that has the potential to not allow people to start their X windows. Because
of this I have made it an optional RPM. It will also eventually get replaced by PAM modules, another reason to leave it off.
But it does do a good job at what it is supposed to do, which is authenticate users at the login prompt, with their kerberos
passwords. Because of this, you should first use the rpm with the login program, and see if you have any problems starting X
windows, if you don't, continue using the kerberized login.
configuration
The UPS product configuration uses a pearl script. For these RPM's I decided to go with bash scripts. Because of that
there are a few differences, but for the most part I have tried to have all the scripts immitate what is done during the product
install. There is one major exception, the makehostkeys script.
The UPS Product is designed to be installed interactively, while an RPM is designed to be installed without any interaction.
But to get a systems host and ftp keys, a password must be typed in. So the makehostkeys is a script that is designed to be
ran after everything else is installed. In the product when you set it up, you are asked for these passwords at the very first,
and they are part of the basic install. Because of this difference, this basic step is often forgotten during an rpm install.
config files
There are two config files that currently differ from the UPD/UPS product.
I suspect that sometime they will match again, but for now they are
different to be able to work with the pam modules.
/etc/krb.conf - changed to use the kerberose servers to authenticate
/etc/krb5.conf - added a section to tell the pam modules what to do
NOTE: There has not been an easy way implemented to use kerberose with PAM in the 6.x enviroment. Thus your passwords that you use in your desktop enviroment (screensavers, graphical login's, etc..) will be the same as they were before.
NOTE: This will change it so that all of your passwords that you use in your desktop enviroment (screensavers, graphical login's, etc..) will be your kerberose password. If you want them to be the same as they were before, skip steps 7 and 8.
Back to RPM's
Back Home
February 27, 2003