Exercise 1: Set up a kerberos client

A Kerberos client is easy to set up to work with existing Kerberos infrastructure.

Setup

Install the Kerberos client packages:

# apt-get install krb5-user

To show how little configuration is really needed, we will move the auto-generated config file out of the way (which contains a load of junk anyway) and create a new minimal one with just 4 lines:

# mv /etc/krb5.conf /etc/krb5.conf.example
# editor /etc/krb5.conf

[libdefaults]
default_realm = WS.NSRC.ORG
dns_lookup_realm = true
dns_lookup_kdc = true

Now check that the ssh client program will try Kerberos authentication. It's enabled by default in Ubuntu, but in other operating systems it might not be.

# editor /etc/ssh/ssh_config      (on MacOSX it's /etc/ssh_config)

...
GSSAPIAuthentication yes    # check this line present (near end)
GSSAPIKeyExchange yes       # add this line too
...

Testing ssh client

The class Kerberos setup has an account "testuser" which you can use.

$ kinit testuser
... enter password when prompted
(password is "nsrc2020" unless you've been told otherwise)

Now you should now be able to login to servers in your Kerberos realm without re-entering your password:

$ ssh testuser@noc.ws.nsrg.org
-- logout, then login somewhere else

$ ssh testuser@noc2.ws.nsrc.org
-- logout

Have a look at the tickets you've picked up:

$ klist

You should see your own TGT plus tickets for the servers you've connected to.

To get rid of them, use kdestroy; check that you can no longer login (the server will give you a password prompt instead)


Reference material [not part of the exercise]

We've actually enabled two different authentication mechanisms. GSSAPIAuthentication is the standard one (gssapi-with-mic), and just authenticates the user. GSSAPIKeyExchange is a new one (gssapi-keyex) which also validates the authenticity of the host. It avoids the need to accept host keys into your known_hosts file, because Kerberos already provides mutual authentication.

GSSAPIKeyExchange is available as a patch to ssh, and is included by default in recent Debian/Ubuntu, RHEL6, and Fedora 13+. But it probably won't work when connecting to older Unix boxes or to BSD boxes, in which case you'll fall back to gssapi-with-mic.

More info at http://www.sxw.org.uk/computing/patches/openssh.html

Enabling Kerberos in HTTP clients

For curl, you must supply an empty username and password in option -u

$ curl --negotiate -u: http://noc.ws.nsrc.org/secure/

For Firefox:

For Google Chrome: apply the option when starting it up:

/opt/google/chrome/google-chrome \
  --auth-server-whitelist=*.ws.nsrc.org

Enabling Kerberos in LDAP client

Under Ubuntu you have to have the appropriate SASL-GSSAPI module installed.

# apt-get install ldap-utils libsasl2-modules-gssapi-mit

$ ldapsearch -Y GSSAPI -h ldap.ws.nsrc.org \
    -b "dc=ws,dc=nsrc,dc=org" "(cn=*candler*)"