Possibility of not creating host principals and keytabs for Workstations

Richard E. Silverman res at qoxp.net
Wed Jan 16 22:09:16 EST 2008


>>>>> "BK" == Barry King <barryking93 at gmail.com> writes:

    BK> I'm looking for a way to use a combination of kerberos & ldap
    BK> authentication for (primarily Fedora 8) Linux workstations.  My
    BK> goal is to have an automated install that will allow users to
    BK> authenticate to kerberos immediately after install, without the
    BK> need to create host principals or extract keytabs.

You don't need to create host principals in order for a user to
authenticate to a Kerberos realm on that host.  In fact, if you have your
SRV and _kerberos RR's in the DNS, the initial /etc/krb5.conf will
probably let you kinit and use kerberized cliens without any changes at all.

Now, if you want *password* authentication, as opposed to ticket-based,
that's another story -- e.g., if you want sshd to verify a password
supplied by the password or keyboard-interactive userauth methods.  Then
the host needs a shared key with the KDC so that it can verify the KDC's
identity and prevent a spoofing attack.  I think pam_krb5 lets you turn
off that verification, but it's unwise from a security standpoint.

- Richard

    BK> Right now, when I ssh in, it hangs and I get this with debug
    BK> turned on:

    BK> Jan 16 09:48:17 bkingkstest1 sshd[2295]: pam_krb5[2295]: trying
    BK> previously-entered password for 'bking', allowing libkrb5 to
    BK> prompt for more Jan 16 09:48:17 bkingkstest1 sshd[2295]:
    BK> pam_krb5[2295]: authenticating ' bking at REALM' to
    BK> 'krbtgt/REALM at REALM' Jan 16 09:48:17 bkingkstest1 sshd[2295]:
    BK> pam_krb5[2295]: krb5_get_init_creds_password(krbtgt/REALM at REALM
    BK> returned 0 (Success) Jan 16 09:48:17 bkingkstest1 sshd[2295]:
    BK> pam_krb5[2295]: got result 0 (Success)

    BK> Thoughts?

    BK> My (sanitized) krb5.conf:

    BK> [logging] default = SYSLOG:ERR:USER

    BK> [libdefaults] default_realm = REALM dns_lookup_kdc = false
    BK> dns_lookup_realm = false noaddresses = true validate = false

    BK> [realms] EXPERTCITY.COM = { kdc = names1.realm master_kdc =
    BK> names0.realm admin_server = names0.realm auth_to_local =
    BK> RULE:[2:$1;$2](.*;root)s/;root$// auth_to_local =
    BK> RULE:[2:$1;$2](.*;admin)s/;admin$//

    BK>                 auth_to_local = DEFAULT
    BK>         }

[domain_realm]
    BK>         .realm = REALM

    BK> [appdefaults] pam = { forwardable = true
    BK>         }

My pam.d/system-auth:

    BK> auth required /lib/security/$ISA/pam_env.so auth sufficient
    BK> /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient
    BK> /lib/security/$ISA/pam_krb5.so minimum_uid=3000 use_authtok debug
    BK> #auth required /lib/security/$ISA/pam_deny.so

    BK> account required /lib/security/$ISA/pam_unix.so broken_shadow
    BK> account sufficient /lib/security/$ISA/pam_localuser.so account
    BK> sufficient /lib/security/$ISA/pam_krb5.so debug account sufficient
    BK> /lib/security/$ISA/pam_ldap.so debug account required
    BK> /lib/security/$ISA/pam_permit.so

    BK> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
    BK> password sufficient /lib/security/$ISA/pam_unix.so nullok
    BK> use_authtok md5 shadow password sufficient
    BK> /lib/security/$ISA/pam_krb5.so use_authtok debug password required
    BK> /lib/security/$ISA/pam_deny.so debug

    BK> session required /lib/security/$ISA/pam_limits.so session required
    BK> /lib/security/$ISA/pam_unix.so #session required
    BK> /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0022
    BK> sauth required /lib/security/$ISA/pam_env.so auth sufficient
    BK> /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient
    BK> /lib/security/$ISA/pam_krb5.so minimum_uid=3000 use_authtok debug
    BK> #auth required /lib/security/$ISA/pam_deny.so

    BK> account required /lib/security/$ISA/pam_unix.so broken_shadow
    BK> account sufficient /lib/security/$ISA/pam_localuser.so account
    BK> sufficient /lib/security/$ISA/pam_krb5.so debug account sufficient
    BK> /lib/security/$ISA/pam_ldap.so debug account required
    BK> /lib/security/$ISA/pam_permit.so

    BK> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
    BK> password sufficient /lib/security/$ISA/pam_unix.so nullok
    BK> use_authtok md5 shadow password sufficient
    BK> /lib/security/$ISA/pam_krb5.so use_authtok debug password required
    BK> /lib/security/$ISA/pam_deny.so debug

    BK> session required /lib/security/$ISA/pam_limits.so session required
    BK> /lib/security/$ISA/pam_unix.so #session required
    BK> /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0022
    BK> session optional /lib/security/$ISA/pam_krb5.so debug session
    BK> optional /lib/security/$ISA/pam_ldap.so debug session optional
    BK> /lib/security/$ISA/pam_krb5.so debug session optional
    BK> /lib/security/$ISA/pam_ldap.so debug

    BK> Any ideas?  Is what I'm trying even possible?

    BK> Thanks,

    BK> -- Barry King barryking93 at gmail.com

-- 
  Richard Silverman
  res at qoxp.net




More information about the Kerberos mailing list