LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Kerberos-Infrastructure-HOWTO/client-configure.html

391 lines
8.9 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML
><HEAD
><TITLE
>Client Configuration</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
REL="HOME"
TITLE="Kerberos Infrastructure HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Kerberos Server Replication"
HREF="server-replication.html"><LINK
REL="NEXT"
TITLE="Programming With Kerberos"
HREF="programming.html"></HEAD
><BODY
CLASS="section"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Kerberos Infrastructure HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="server-replication.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="programming.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="section"
><H1
CLASS="section"
><A
NAME="client-configure"
></A
>6. Client Configuration</H1
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="client"
></A
>6.1. General GNU/Linux Client Configuration</H2
><P
>&#13;GNU/Linux distributions of Kerberos include a client package which contains all of the software and configuration files needed for setting up a GNU/Linux machine to be able to perform Kerberos authentications against a KDC. In Fedora derived GNU/Linux, this package is <EM
>krb5-workstation</EM
>. In order for your system to be capable of Kerberos authentication, including by authentication by kerberized applications, you must configure Kerberos on the system.
</P
><P
>&#13;Configuration involves editing the <TT
CLASS="filename"
>/etc/krb5.conf</TT
> file. In this file, you must specify your realm, KDC's, administrative server, logging, default domain, and KDC information. You must also modify the <TT
CLASS="filename"
>kdc.conf</TT
> file, which you are allowed to specify a location for in the <TT
CLASS="filename"
>krb5.conf</TT
> file. The default location is <TT
CLASS="filename"
>/var/Kerberos/krb5kdc/kdc.conf</TT
>. The <TT
CLASS="filename"
>kdc.conf</TT
> file contains information about the encryption algorithm policy of the realm.
</P
><P
>&#13;The configuration information for the system on which you wish to perform Kerberos authentications is the same information which was placed in the <TT
CLASS="filename"
>/etc/krb5.conf</TT
> filename on the KDC. Here are example <TT
CLASS="filename"
><A
HREF="http://cryptnet.net/fdp/admin/kerby-infra/en/krb5.conf"
TARGET="_top"
>krb5.conf</A
></TT
> and
<TT
CLASS="filename"
><A
HREF="http://cryptnet.net/fdp/admin/kerby-infra/en/kdc.conf"
TARGET="_top"
>kdc.conf</A
></TT
> configuration files from a client for the Gnu University Dublin example.
</P
><P
>&#13;Now, you can test Kerberos authentication using the <SPAN
CLASS="application"
>kinit</SPAN
> command:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;bash$ kinit &#60;username&#62;
</PRE
></FONT
></TD
></TR
></TABLE
>
</P
><P
>&#13;If your authentication fails, the best place to look for a description of the cause are the system log files on the client and the KDC log file on the KDC which authentication was performed against. When trouble shooting authentication issues, it can be very helpful to have a terminal windows open to the KDC running a
<EM
>tail -f</EM
> on the KDC log. In our example <TT
CLASS="filename"
>krb5.conf</TT
>, the location of the
KDC log was <TT
CLASS="filename"
>/var/log/Kerberos/krb5kdc.log</TT
>.
</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="pam"
></A
>6.2. PAM</H2
><P
>&#13;PAM, or Pluggable Authentication Module, technology which is shipped with many distributions of GNU/Linux is capable of integration with Kerberos through the <SPAN
CLASS="application"
>pam_krb5</SPAN
> module. In order to use Kerberos authentication with PAM you must install the <SPAN
CLASS="application"
>pam_krb5</SPAN
> module and modify the pam configuration files.
</P
><P
>&#13;The <SPAN
CLASS="application"
>pam_krb5</SPAN
> module comes with sample configuration filenames which are located in <TT
CLASS="filename"
>/usr/share/doc/pam_krb5-1.55/pam.d</TT
>. The basic change that these configuration files make to allow PAM controlled services to authenticate against Kerberos is similar to the following:
</P
><P
>&#13;<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;auth required /lib/security/pam_krb5.so use_first_pass
</PRE
></FONT
></TD
></TR
></TABLE
>
</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="apache"
></A
>6.3. Apache Web Server</H2
><P
>&#13;Kerberos can be used as an authentication mechanism for the Apache Web Server. The <SPAN
CLASS="application"
>mod_auth_kerb</SPAN
>
application is an apache module which provides that functionality. Using that module, you will be able to set Kerberos as an authentication type for access control stanzas in the <TT
CLASS="filename"
>httpd.conf</TT
> file. Be aware that while Kerberos is being used, this is a less than ideal authentication mechanism because tickets are stored on the web server rather than on the client machine. However, if your goals is to implement a single sign-on solution or consolidate accounts, there is value here. <SPAN
CLASS="application"
>mod_auth_kerb</SPAN
> is capable of supporting Kerberos 4, however that is not covered in this howto because of the known weaknesses with version 4 of the protocol.
</P
><P
>&#13;The <SPAN
CLASS="application"
>mod_auth_kerb</SPAN
> website can be found at <A
HREF="http://modauthkerb.sourceforge.net/"
TARGET="_top"
>http://modauthkerb.sourceforge.net/</A
>. It is important to use the HTTPS protocol when accessing a site which uses <SPAN
CLASS="application"
>mod_auth_kerb</SPAN
>, since <SPAN
CLASS="application"
>mod_auth_kerb</SPAN
> uses the base auth mechanism. Base auth uses base64 encoding which can easily be translated back to plaintext. Therefore it's important that the authentication exchange is SSL encrypted to ensure that the user name and password are protected when they are transmitted to the webserver.
</P
><P
>&#13;To compile apache with the <SPAN
CLASS="application"
>mod_auth_krb</SPAN
> module, you must take the following steps:
</P
><P
>&#13;<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;bash$ export 'LIBS=-L/usr/Kerberos/lib -lkrb5 -lcrypto -lcom_err'
bash$ export 'CFLAGS=-DKRB5 -DKRB_DEF_REALM=\\\"GNUD.IE\\\"'
bash$ export 'INCLUDES=-I/usr/Kerberos/include'
bash$ mkdir apache_x.x.x/src/modules/kerberos
bash$ cp mod_auth_kerb-x.x.x.c apache_x.x.x/src/modules/kerberos
bash$ ./configure --prefix=/home/httpd --add-module=src/modules/Kerberos/mod_auth_kerb.c
bash$ make
bash$ make install
</PRE
></FONT
></TD
></TR
></TABLE
>
</P
><P
>&#13;You should test apache to make sure that it works. Once you have a known working copy of SSL enabled apache on the machine you can modify the <TT
CLASS="filename"
>httpd.conf</TT
> filename to provide Kerberos authentication for a directory:
</P
><P
>&#13;Here is an example stanza from the mod_auth_kerb apache modules which enables Kerberos 5 authentication for a directory:
<TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="screen"
>&#13;&#60;Directory "/home/httpd/htdocs/content"&#62;
AllowOverride None
AuthType KerberosV5
AuthName "Kerberos Login"
KrbAuthRealm GNUD.IE
require valid-user
&#60;/Directory&#62;
</PRE
></FONT
></TD
></TR
></TABLE
>
</P
></DIV
><DIV
CLASS="section"
><H2
CLASS="section"
><A
NAME="microsoft"
></A
>6.4. Microsoft Windows</H2
><P
>&#13;Due to a flawed implementation of the Kerberos standard by Microsoft, there is limited compatibility between standard MIT Kerberos and Microsoft's version. Microsoft has published a document which describes the limited ways in which Microsoft's broken version of Kerberos is able to interoperate with standard Kerberos. That document is available
<A
HREF="http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp"
TARGET="_top"
>here</A
>.
</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="server-replication.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="programming.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Kerberos Server Replication</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Programming With Kerberos</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink