Kerberos, Linux, and Fermilab

Introduction
Fermilab's Kerberos RPMS
Fermilab Kerberos Config Files
Setup (Basic Steps)
Setup (Fermi Linux)
Setup (Scientific Linux 3.0.x), (Scientific Linux 4.x)
Setup Scientific Linux Cern 4.x
Setup (Generic Linux)

Introduction

Fermilab tries to use kerberos for all authentication whenever possible. Fermilab's policies on kerberos can be found at Fermilab's 'Strong Authentication' web pages.

In pursuit of all authentication being kerberized Fermilab has released its own flavor of Kerberos. It is basically MIT's Kerberos with a few tweaks that were wanted here. The main improvement is that Fermilab's kerberos allows you to use a 'cryptocard' to authorize yourself.
The cryptocard allows you to use 'one time' passwords, and so you may authenticate yourself from a non-kerberized machine.

Fermilab's kerberos is compatible with MIT's kerberos. It is not necessary for a linux machine to use Fermilab's kerberos to log into the Fermilab realm.
Fermilab's kerberos can also be installed alongside MIT's kerberos. In the various Fermi Linux distributions, we install both MIT's kerberos and Fermilab's kerberos. They are in two different directories (/usr/kerberos and /usr/krb5). We simply put Fermilab's kerberos in your path.

Fermilab's Kerberos RPM's

KERBEROS
krb5-libs-fermi
krb5-workstation-fermi
The binaries and man pages from the kerberos product. These get installed in /usr/krb5.
It doesn't do any configuration. But krb5-workstation-fermi does put /usr/krb5/bin in your path.

krb5-fermi-krb5.conf
This rpm gives you are krb5.conf file setup to work with the FNAL.GOV kerberos realm. If you already have a krb5.conf, it saves the old one off.

krb5-fermi-config
This does the configuration that you need to be fully kerberized. It edits your krb5.conf, services, and sshd_config. It will also edit your config files in xinetd.d.
Each of these configurations are a scripts that is stored in /usr/krb5/config/ for if you want to re-do one or all of them.
It also has a script called 'makehostkeys' This script is used to create your host or ftp principle. This script must be run by hand after you get a host principle password by filling out the proper form.

The above rpm's are available at
ftp://linux.fnal.gov/linux/contrib/kerberos/
You will need to go into the appropriate directory for your linux release and get the rpm's.
The rpm's that end in current.rpm are links to the latest stable releases of the rpm's. At times there might be several versions of some of these rpm's. When you don't know which one to get, get the current.rpm.

OPENSSH
We have patched openssh to work with our kerberos, and cryptocards. It is compatible with other versions of openssh (and ssh v1) that work with kerberos and the gssapi ticket passing protocol.
Many people see that our version of openssh is version 3.5, and think that it does not have the latest security patches associated with later versions of openssh. Our version HAS been patched with all latest security patches. It is up to date with all the latest security updates as of this writting.
Our version of openssh is available at
ftp://linux.fnal.gov/linux/contrib/openssh/lts30x/
ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
Note: The openssh-3.5p1f12-1SL3.i386.rpm (for lts30x) have been tested and work on RHEL 3, RHEL 4, Mandrake 10.x, Fedora Core 2, 3, 4, Scientific Linux 3.0.x, 4x. Scientific Linux Fermi LTS 3.0.x, 4x. They have not been tested on anything Debian based, or SUSE. If you try them and find that they do work on them, let us know.
Note: The openssh-3.5p1f12-1SL4.i386.rpm (for lts4x) have been tested and work on RHEL 3, RHEL 4, Mandriva 2006.0, Fedora Core 2, 3, 4, Scientific Linux 3.0.x, 4x. Scientific Linux Fermi LTS 3.0.x, 4x. They have not been tested on anything Debian based, or SUSE. If you try them and find that they do work on them, let us know.

Fermilab's Kerberos Config Files

The kerberos config file usually is at /etc/krb5.conf
Generic krb5.conf file
Generic krb5.conf with aklog (for AFS support) turned on

The kerberized openssh config file is usually at /etc/ssh/sshd_config
Kerberized sshd_config (before openafs 3.9)

Setup - Basic Steps

There are two ways you can have kerberos configured. You can have your machine configured to be Outbound Only, or you can configure it to be both Outbound and Inbound.
If you are only going to be logging into other machines, and noone is supposed to log into your machine over the network, this is considered an Outbound Only setup. This is the common setup of laptop's, because most people expect their laptops to travel, and their IP address to change all the time, and basically noone should be logging into them.
If you plan on people logging into your machine over the network using kerberos, then you need to follow the sets for Outbound and Inbound setup. This is usually for machines that are servers, or desktops that people log into.

Outbound Only

1. Get kerberos on your machine.
   Most modern linux distributions have kerberos, and most all of them work with Fermi's kerberos. You can use MIT's kerberos, Hemdal's kerberos, the kerberos that came with your distribution. Most any of them will work.
   I personally install Fermilab's kerberos from rpm's, on all my non-Fermi Linux distributions I am running. It goes in its own directory, so it isn't stepping on anyone's toes, and I have found that it works the best behind NAT's.
   Just remember that while all of them work together ... not all of them have the same command line arguments.
2. Get kerberized openssh, that uses gssapi protocol, on your machine
   Not all ssh's that say they are kerberized, will work when trying to connect to a Fermi kerberized box. It has to be able to use the gssapi protocol, otherwise it will not be able to trade kerberos tickets correctly.
   We have been collecting various versions of openssh that have the gssapi patch's in our contrib area. You can check and see if your distribution has a version there. It is at
   ftp://linux.fnal.gov/linux/contrib/openssh/
3. Put the Fermi settings in your krb5.conf.
   You can do this by installing one of the config rpm's listed above, or useing one of the above config files. Or if you are bound to several kerberos realms, you can edit your krb5.conf and just put the important stuff from our config files, into your config files.
   The default area for a krb5.conf file is /etc/krb5.conf

Outbound and Inbound

1. Get kerberos on your machine.
   Most modern linux distributions have kerberos, and most all of them work with Fermi's kerberos. You can use MIT's kerberos, Hemdal's kerberos, the kerberos that came with your distribution. Most any of them will work.
   I personally install Fermilab's kerberos from rpm's, on all my non-Fermi Linux distributions I am running. It goes in its own directory, so it isn't stepping on anyone's toes, and I have found that it works the best behind NAT's.
   If you plan on letting people log into your machine with a Cryptocard, you must have Fermi's Kerberos installed and being uses as the servers.
   Just remember that while all of them work together ... not all of them have the same command line arguments.
2. Get kerberized openssh, that uses gssapi protocol, on your machine
   Not all ssh's that say they are kerberized, will work when trying to connect to a Fermi kerberized box. It has to be able to use the gssapi protocol, otherwise it will not be able to trade kerberos tickets correctly.
   We have been collecting various versions of openssh that have the gssapi patch's in our contrib area. You can check and see if your distribution has a version there. It is at
   ftp://linux.fnal.gov/linux/contrib/openssh/
   If you plan on letting people log into your machine with a Cryptocard, you must have Fermi's openssh installed and being uses as the openssh server.
3. Put the Fermi settings in your krb5.conf.
   You can do this by installing one of the config rpm's listed above, or useing one of the above config files. Or if you are bound to several kerberos realms, you can edit your krb5.conf and just put the important stuff from our config files, into your config files.
   The default area for a krb5.conf file is /etc/krb5.conf
4. Kerberize your openssh deamon config file.
   The easiest way is to just replace your sshd_config file with the one shown above.
   The default area for a sshd_config file is /etc/ssh/sshd_config

Setup - Fermi Linux

Scientific Linux Fermi 3.0.x (LTS 3.0.x)

Outbound Only
Nothing. SL-Fermi 3.0.x (which includes LTS 3.0.x) comes kerberized out of the box with Fermi Kerberos already installed and properly configured.

Outbound and Inbound

1. Get a host principal password  from here
2. /usr/krb5/config/makehostkeys   ( use password from previous step )
3. Get the openssh server rpm if it isn't already installed
   yum install openssh-server

Scientific Linux Fermi 4.x

Outbound Only
Nothing. SL-Fermi 4.x comes kerberized out of the box with Fermi Kerberos already installed and properly configured.

Outbound and Inbound

1. Get a host principal password  from here
2. /usr/krb5/config/makehostkeys   ( use password from previous step )
3. Get the openssh server rpm if it isn't already installed
   yum install openssh-server

Setup - Scientific Linux

Scientific Linux 3.0.x and RHEL 3

Outbound Only

1. Optional: Install Fermilab's kerberos
   This is optional because RedHat's kerberos works just fine.
   I have found that Fermilab's kerberos works better behind NAT's than RedHat's default kerberos.
   You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on the machine with no side affects.
   rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-libs-fermi-current.rpm
   rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-workstation-fermi-current.rpm
2. Configure your krb5.conf in either of the following ways
   • By Hand
     Edit /etc/krb5.conf to look like either of the following
     krb5.conf generic file
     krb5.conf with aklog (for AFS support) turned on
   • By RPM
     rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/sl30x/krb5-fermi-krb5.conf-current.rpm
3. Install a kerberized openssh that does gssapi authentication
   1. mkdir openssh
   2. cd openssh
   3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl30x/
      cd to your appropriate arch, usually 'cd i386'
      mget *.rpm
      quit
   4. rpm -Fvh openssh*.rpm

Outbound and Inbound
Note: Inbound kerberos connections can be handled with RedHat's kerberos. The only difference is that you will not have Cryptocard support. If you want Cryptocard support, or you just want your machine to be like a SL-Fermi machine, do the instructions that start with Cryptocard:.

1. Cryptocard: Install Fermilab's kerberos
   You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on the machine with no side affects.
   rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-libs-fermi-current.rpm
   rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-workstation-fermi-current.rpm
2. Configure your krb5.conf in either of the following ways
   • By Hand
     Edit /etc/krb5.conf to look like either of the following
     krb5.conf generic file
     krb5.conf with aklog (for AFS support) turned on
   • By RPM
     Cryptocard:rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts3x/krb5-fermi-config-current.rpm
     or
     rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/sl30x/krb5-fermi-krb5.conf-current.rpm
3. Install a kerberized openssh that does gssapi authentication
   1. mkdir openssh
   2. cd openssh
   3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl30x/
      cd to your appropriate arch, usually 'cd i386'
      mget *.rpm
      quit
   4. rpm -Fvh openssh*.rpm
   
   OR
   Cryptocard:
   1. mkdir openssh
   2. cd openssh
   3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts30x/
      mget *.rpm
      quit
   4. rpm -Fvh openssh*.rpm
   5. edit /etc/yum.d/yum.cron.excludes
      add openssh* to the end of the line
   6. edit /etc/yum.conf
      add exclude=openssh* up in the [main] section
4. Get a host principal password  from here
5. This is the one step, where installing Fermilab's kerberos makes things easier.
   Cryptocard:/usr/krb5/config/makehostkeys   ( use password from previous step )

OR
kadmin -r FNAL.GOV -p host/{full.host.name}@FNAL.GOV -w {password} -q "ktadd host/{full.host.name}@FNAL.GOV"
Where {full.host.name} is the full name for the computer. Basically what you put down on the form in the previous step.
And {password} is the password sent to you in the previous step.

1. Optional: Install Fermilab's kerberos
   This is optional because RedHat's kerberos works just fine.
   I have found that Fermilab's kerberos works better behind NAT's than RedHat's default kerberos.
   You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on the machine with no side affects.
   rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-libs-fermi-current.rpm
   rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-workstation-fermi-current.rpm
2. Configure your krb5.conf in either of the following ways
   • By Hand
     Edit /etc/krb5.conf to look like either of the following
     krb5.conf generic file
     krb5.conf with aklog (for AFS support) turned on
   • By RPM
     rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/sl4x/krb5-fermi-krb5.conf-current.rpm
3. Install a kerberized openssh that does gssapi authentication
   1. mkdir openssh
   2. cd openssh
   3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
      cd to your appropriate arch, usually 'cd i386'
      mget *.rpm
      quit
   4. rpm -Fvh openssh*.rpm

Outbound and Inbound
Note: Inbound kerberos connections can be handled with RedHat's kerberos. The only difference is that you will not have Cryptocard support. If you want Cryptocard support, or you just want your machine to be like a SL-Fermi machine, do the instructions that start with Cryptocard:.

1. Cryptocard: Install Fermilab's kerberos
   You do not have to remove RedHat's kerberos to install Fermilab's. They live in different directories and can both be on the machine with no side affects.
   rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-libs-fermi-current.rpm
   rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-workstation-fermi-current.rpm
2. Configure your krb5.conf in either of the following ways
   • By Hand
     Edit /etc/krb5.conf to look like either of the following
     krb5.conf generic file
     krb5.conf with aklog (for AFS support) turned on
   • By RPM
     Cryptocard:rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/lts4x/krb5-fermi-config-current.rpm
     or
     rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/sl4x/krb5-fermi-krb5.conf-current.rpm
3. Install a kerberized openssh that does gssapi authentication
   1. mkdir openssh
   2. cd openssh
   3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/sl4x/
      cd to your appropriate arch, usually 'cd i386'
      mget *.rpm
      quit
   4. rpm -Fvh openssh*.rpm
   
   OR
   Cryptocard:
   1. mkdir openssh
   2. cd openssh
   3. lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
      mget *.rpm
      quit
   4. rpm -Fvh openssh*.rpm
   5. edit /etc/yum.d/yum.cron.excludes
      add openssh* to the end of the line
   6. edit /etc/yum.conf
      add exclude=openssh* up in the [main] section
4. Get a host principal password  from here
5. This is the one step, where installing Fermilab's kerberos makes things easier.
   Cryptocard:/usr/krb5/config/makehostkeys   ( use password from previous step )

OR
kadmin -r FNAL.GOV -p host/{full.host.name}@FNAL.GOV -w {password} -q "ktadd host/{full.host.name}@FNAL.GOV"
Where {full.host.name} is the full name for the computer. Basically what you put down on the form in the previous step.
And {password} is the password sent to you in the previous step.

Host *.fnal.gov
  protocol = 2

Setup - Generic Linux

Fedora Core 2

1. become root, and do all the following as root
2. yum install krb5-workstation
3. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/fedora2/krb5-fermi-krb5.conf-current.rpm
4. mkdir openssh
5. cd openssh
6. lftp ftp://linux.fnal.gov/linux/contrib/openssh/fedora2/
   mget *.rpm
   quit
7. rpm -Fvh openssh*.rpm

Fedora Core 3

1. become root, and do all the following as root
2. yum install krb5-workstation
3. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/fedora3/krb5-fermi-krb5.conf-current.rpm
4. mkdir openssh
5. cd openssh
6. lftp ftp://linux.fnal.gov/linux/contrib/openssh/fedora3/
   mget *.rpm
   quit
7. rpm -Fvh openssh*.rpm

Fedora Core 4

1. become root, and do all the following as root
2. yum install krb5-workstation
3. rpm -Uvh ftp://linux.fnal.gov/linux/contrib/kerberos/fedora4/krb5-fermi-krb5.conf-current.rpm
4. mkdir openssh
5. cd openssh
6. lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
   mget *.rpm
   quit
7. rpm -e --nodeps openssh openssh-clients openssh-server openssh-askpass openssh-askpass-gnome
8. rpm -Uvh openssh*.rpm
   Note: You might not be able to install openssh-askpass or openssh-askpass-gnome, depending on what you already had installed, if that is the case, just delete them and try again.

Mandrake 2006.0

1. become root, and do all the following as root
2. mkdir kerb
3. cd kerb
4. lftp ftp://linux.fnal.gov/linux/contrib/kerberos/sl4x
   mget *current*
   quit
5. rm -f krb5-fermi-config-current.rpm
6. rpm -Uvh krb5*.rpm
7. cd ..
8. mkdir openssh
9. cd openssh
10. lftp ftp://linux.fnal.gov/linux/contrib/openssh/lts4x/
    mget *.rpm
    quit
11. rm -f openssh-askpass*
12. rpm -e --nodeps openssh openssh-clients openssh-server
13. rpm -Uvh openssh*.rpm

SuSE 9.2

The SuSE 9.2 DVD comes with Heimdal Kerberos (0.6.2-8) and OpenSSH (3.9p1-3). The former works fine for Fermilab, but I couldn't get the latter to work (OpenSHH 3.9 uses a newer version of GSSAPI that is not backwards compatible).

I downloaded and installed your rpms (using --force --nodeps)

openssh-askpass-3.5p1f11-4rh7x
openssh-clients-3.5p1f11-4rh7x
openssh-server-3.5p1f11-4rh7x
openssh-3.5p1f11-4rh7x

Because the RH and SuSE startup scripts are different and in different locations, I kept the original SuSE sshd startup script (/etc/init.d/sshd) and set YaST to ignore any conflicts.

With this everything seems to work fine.