Unix tutorial Contact as






Setting Up Server / Client kerberos on OpenBsd

As a user/administrator of OpenBSD systems, you are fortunate that Kerberos IV is an pre-installed component of the default system. Here is a guide to setting up both the Kerberos realm server, as well as a client.

An *EXTREMELY* important point to remember is that Kerberos clients and servers must have their system clocks synchronized. If there is more than a 5 minute time skew, you will receive wierd errors that do not immediately reveal themselves to be caused by time skew, such as:

kinit: Can't send request (send_to_kdc)

Another more accurate error is:

kauth: Time is out of bounds (krb_rd_req)

An easy way to synchronize system clocks is with xntpd, available in the ports tree at /usr/ports/sysutils/xntpd/.

This FAQ entry assumes you have prior knowledge of the Kerberos concepts. For a great, easy to understand, reference, see:

The FreeBSD handbook
Use the command info kth-krb
Designing an Authentication System: a Dialogue in Four Scenes
Papers and Documentation Describing KerberosIV

Or the book

Network Security Private Communication in a Public World [Kaufman, Perlman, Speciner, 1995]

How to setup the Kerberos IV REALM and SERVER

We will be setting up the CIARASYSTEMS.COM realm, with avalanche.ciarasystems.com as the main server.

To start off, we will need to edit our configuration files. These files are located at /etc/kerberosIV/. The two files we are concerned about are krb.realms and krb.conf. Let's start off with krb.conf.

[root@avalanche kerberosIV] cat krb.conf
CIARASYSTEMS.COM
CIARASYSTEMS.COM avalanche.ciarasystems.com admin server


As you can see, this tells kerberos that the domain is CIARASYSTEMS.COM (or logical realm) and that within that domain, avalanche is the administration server. Next we will look at krb.realms. For more information on this refer to krb.conf.

[root@avalanche kerberosIV] cat krb.realms
avalanche.ciarasystems.com CIARASYSTEMS.COM
.ciarasystems.com CIARASYSTEMS.COM


krb.realms provides a translation from a hostname to the Kerberos realm name for the services provided by that host. Each line of the translation file is in one of the following forms (domain_name should be of the form .XXX.YYY). So in this example, avalanche is the hostname of a computer on the CIARASYSTEMS.COM realm. And .ciarasystems.com is the domain name on the realm CIARASYSTEMS.COM. Again, for further information read the krb.realms. man page.

Next we will run kdb_init(8) to create the initial Kerberos database.

[root@avalanche kerberosIV] kdb_init
Realm name [default NO.DEFAULT.REALM ]: CIARASYSTEMS.COM
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.


Enter Kerberos master password: not shown
Verifying password -
Enter Kerberos master password:


Next we need to use kstash(8) which is used to save the Kerberos key distribution center (KDC) database master key in the master key cache file.

[root@avalanche kerberosIV] kstash
Enter Kerberos master password:


Current Kerberos master key version is 1.


Master key entered. BEWARE!
Wrote master key to /etc/kerberosIV/master_key


This saves the encrypted master password in /etc/kerberosIV/master_key.
Next, we need two principals to be added to the database for each system that will be secured with Kerberos. Their names are kpasswd and rcmd. These two principals are made for each system, with the instance being the name of the individual system. These daemons, kpasswd and rcmd allow other systems to change Kerberospasswords and run commands like rcp, rlogin and rsh.

# kdb_edit
Opening database...

Enter Kerberos master key:

Current Kerberos master key version is 1.

Master key entered. BEWARE!

Previous or default values are in [brackets] ,
enter return to leave the same, or new value.

Principal name: passwd
Instance: avalanche

, Create [y] ? y

Principal: passwd, Instance: avalanche, kdc_key_ver: 1
New Password: <----- Use 'RANDOM' as password
Verifying password -
New Password:

Random password [y] ? y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 1999-12-31 ] ? 2001-12-31
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.


Principal name: rcmd
Instance: avalanche

, Create [y] ? y
Principal: rcmd, Instance: avalanche, kdc_key_ver: 1
New Password: <----- Use 'RANDOM' as password
Verifying password -
New Password:

Random password [y] ? y
Principal's new key version = 1
Expiration date (enter yyyy-mm-dd) [ 1999-12-31 ] ? 2001-12-31
Max ticket lifetime (*5 minutes) [ 255 ] ?
Attributes [ 0 ] ?
Edit O.K.
Principal name: <----- Hit to end


A srvtab file is the service key file. These must be extracted from the Kerberos key distribution center database in order for services to authenticate using Kerberos. For each hostname specified on the command line, ext_srvtab(8) creates the service key file hostname-new-srvtab, containing all the entries in the database with an instance field of hostname.
[root@avalanche kerberosIV] ext_srvtab avalanche

Enter Kerberos master password:

Current Kerberos master key version is 1.

Master key entered. BEWARE!
Generating 'avalanche-new-srvtab'....

[root@avalanche kerberosIV] mv avalanche-new-srvtab srvtab
[root@avalanche kerberosIV] chmod 600 srvtab

Now we can add users to our database.

[root@avalanche kerberosIV] kdb_edit
Opening database...

Enter Kerberos master key:

Current Kerberos master key version is 1.

Master key entered. BEWARE!
Previous or default values are in [brackets] ,
enter return to leave the same, or new value.

Principal name: jeremie
Instance:

, Create [y] ? y

Principal: jeremie, Instance: , kdc_key_ver: 1
New Password: <---- enter a secure password herev Verifying password

New Password: <---- re-enter the password here
Principal's new key version = 1v Expiration date (enter yyyy-mm-dd) [ 2000-01-01 ] ?v Max ticket lifetime (*5 minutes) [ 255 ] ?v Attributes [ 0 ] ?
Edit O.K.
Principal name: <---- null entry here will cause an exit
or you can add more entries.

So now all the Kerberos particulars are setup. All that is left is to enable boot-time loading of the Kerberos server and to enable Kerberized-daemons.
In /etc/rc.conf, set:

kerberos_server=YES
In /etc/inetd.conf, uncomment:

telnet stream tcp nowait root /usr/libexec/telnetd telnetd -k
klogin stream tcp nowait root /usr/libexec/rlogind rlogind -k
kshell stream tcp nowait root /usr/libexec/rshd rshd -k
kauth stream tcp nowait root /usr/libexec/kauthd kauthd

Then, either reboot, or:
[root@avalanche /] kill -HUP `cat /var/run/inetd.pid`
[root@avalanche /] /usr/libexec/kerberos >> /var/log/kerberos.log &
[root@avalanche /] /usr/libexec/kadmind -n >> /var/log/kadmind.log &


Note: this is a rather simple server setup. Usually, redundant servers are setup (as slave servers) so that if one server goes down, all the services that depend on Kerberos don't go down. We can also add 'su' privileges to a specific principal, see the FreeBSD Handbook.

How to kerberize your client workstation

We will be setting the workstation named gatekeeper to be in the CIARASYSTEMS.COM realm, with avalanche.ciarasystems.com as the main server.

To start off, we need to setup our krb.conf and krb.realms like the above machine. This is so gatekeeper will know what server is the KDC and what domain it is on. Again here are the file contents.

[root@gatekeeper kerberosIV] cat krb.conf
CIARASYSTEMS.COM
CIARASYSTEMS.COM avalanche.ciarasystems.com admin server

[root@gatekeeper kerberosIV] cat krb.realms
avalanche.ciarasystems.com CIARASYSTEMS.COM
.ciarasystems.com CIARASYSTEMS.COM

Now that is set up, we need to initialize kerberos. To obtain a ticket you use kinit(1).

xyz:jeremie% kinit
The OpenBSD Project (gatekeeper)
Kerberos Initialization
Kerberos name: jeremie
Password:

Now we have identified we can list our tickets with klist(1).

xyz:jeremie$ klist
Ticket file: /tmp/tkt1000
Principal: jeremie@CIARASYSTEMS.COM

Issued Expires Principal
Jun 28 01:03:25 Jun 28 11:03:25 krbtgt.CIARASYSTEMS.COM@CIARASYSTEMS.COM


Looks like we are set now. All that's left to do is test it. Here we will test it with rlogin(1) and telnet(1).

xyz:jeremie% telnet avalanche
Trying 192.168.0.38...
Connected to avalanche.
Escape character is '^]'.
[ Trying mutual KERBEROS4 ... ]
[ Kerberos V4 accepts you ]
[ Kerberos V4 challenge successful ]
Last login: Sun Jun 27 22:52:25 on ttyp1 from gatekeeper
Warning: no Kerberos tickets issued.
OpenBSD 2.5 (AVALANCHE) #5: Tue Apr 6 01:18:16 EDT 1999

and
xyz:jeremie% rlogin avalanche
Last login: Sun Jun 27 22:53:39 on ttyp1 from gatekeeper
Warning: no Kerberos tickets issued.
OpenBSD 2.5 (AVALANCHE) #5: Tue Apr 6 01:18:16 EDT 1999


We can tell that it is indeed using Kerberos to authenticate the rlogin session. To get rid of any tickets issued, you would use kdestroy(1). For example:

xyz:jeremie% kdestroy
Tickets destroyed.
xyz:jeremie% rlogin avalanche
krcmd: No ticket file (tf_util)
rlogin: warning, using standard rlogin: can't provide Kerberos auth data.
avalanche: Connection refused


Do not worry about 'Warning: no Kerberos tickets issued.' This is because we're only doing kerberos authentication, not ticket passing. If you want ticket passing, use OpenSSH which has support. Stock KerberosIV doesn't have support for tgt passing, either - only the AFS kaserver's implementation of krb4, since the regular KerberosIV kdc checks client IP address listed in the ticket.




Back to main page


Copyright © 2003-2016 The UnixCities.com
All rights reserved