A Kerberos client is easy to set up to work with existing Kerberos infrastructure.
Install the Kerberos client packages:
# apt-get install krb5-user
To show how little configuration is really needed, we will move the auto-generated config file out of the way (which contains a load of junk anyway) and create a new minimal one with just 4 lines:
# mv /etc/krb5.conf /etc/krb5.conf.example
# editor /etc/krb5.conf
[libdefaults]
default_realm = WS.NSRC.ORG
dns_lookup_realm = true
dns_lookup_kdc = true
Now check that the ssh client program will try Kerberos authentication. It's enabled by default in Ubuntu, but in other operating systems it might not be.
# editor /etc/ssh/ssh_config (on MacOSX it's /etc/ssh_config)
...
GSSAPIAuthentication yes # check this line present (near end)
GSSAPIKeyExchange yes # add this line too
...
The class Kerberos setup has an account "testuser" which you can use.
$ kinit testuser
... enter password when prompted
(password is "nsrc2020" unless you've been told otherwise)
Now you should now be able to login to servers in your Kerberos realm without re-entering your password:
$ ssh testuser@noc.ws.nsrg.org
-- logout, then login somewhere else
$ ssh testuser@noc2.ws.nsrc.org
-- logout
Have a look at the tickets you've picked up:
$ klist
You should see your own TGT plus tickets for the servers you've connected to.
To get rid of them, use kdestroy
; check that you can no longer login
(the server will give you a password prompt instead)
We've actually enabled two different authentication mechanisms.
GSSAPIAuthentication
is the standard one (gssapi-with-mic), and just
authenticates the user. GSSAPIKeyExchange
is a new one (gssapi-keyex)
which also validates the authenticity of the host. It avoids the need
to accept host keys into your known_hosts
file, because Kerberos already
provides mutual authentication.
GSSAPIKeyExchange
is available as a patch to ssh, and is included by
default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably
won't work when connecting to older Unix boxes or to BSD boxes, in
which case you'll fall back to gssapi-with-mic.
More info at http://www.sxw.org.uk/computing/patches/openssh.html
For curl, you must supply an empty username and password in option -u
$ curl --negotiate -u: http://noc.ws.nsrc.org/secure/
For Firefox:
about:config
network.negotiate-auth.trusted-uris ws.nsrc.org
For Google Chrome: apply the option when starting it up:
/opt/google/chrome/google-chrome \
--auth-server-whitelist=*.ws.nsrc.org
Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed.
# apt-get install ldap-utils libsasl2-modules-gssapi-mit
$ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \
-b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)"