How to Kerberize your site 

Contents

Introduction

One way to help is with Kerberos. Kerberos is an authentication and encryption scheme that allows a user to become "known" by an authenticating server and then use that authentication to access systems and services on the net. The services can then transpire in an encrypted fashion to further secure transactions occurring over the net. The philosophy behind the creation of Kerberos, and a short summary of how it works is available, but here we assume that you know what Kerberos is, and wish to implement a Kerberos domain on your network. But, we also assume that you are not a hot-shot UNIX programmer, so we intend to lead you by the hand in a step-by-step fashion through the entire process. In other words, this is our version of "Kerberos for Dummies."

Several commercial integrators provide enterprise Kerberos solutions as well as technical support and maintenance.  In particular, perhaps the easiest way to install Kerberos V5 is to use Kerbnet from Cygnus solutions. Kerbnet is free and has clients for Win32 machines, Macintoshes and Unix hosts, and has KDC software for Unix and NT as well as host servers for Unix platforms.

Check out the MIT Kerberos Web Site for the latest Kerberos release news.  Another good source of information is the Kerberos FAQ compiled by Ken Hornstein.

Pick a Kerberos server machine (kdc)

• The server should be physically secure.
• The operating system should be up to date with all the latest patches applied.
• There should be no user accounts on the machine except for the Kerberos administrator.
• There should as few processes as possible running on the server other than the Kerberos key server demons.
• You probably need additional machines to serve as alternate servers in case there is a hardware problem or a network outage.

DCE and Kerberos

 If anyone has questions about using MIT Kerberos 5 tools with a DCE based KDC, send a message to:
[email protected]

More information on the issues involved in accessing the distributed file systems AFS and DFS from Kerberos are discussed by Doug Engert.

If you use the DCE based KDC, you still need to compile the MIT Kerberos 5 software. But you will not run the MIT Kerberos key server (/krb5/sbin/krb5kdc) or the MIT kadmind server (/krb5/sbin/kadmind).

Install the Kerberos server

In these instructions, your typing is shown in italics.

Consider obtaining the Kerbnet code from Cygnus Solutions. This code is prebuilt and well-documented.

Obtain the necessary code

1. Create a directory for your kerberos code.

mkdir /kerberos
cd /kerberos
2. ftp to MIT to obtain the code. It is easiest if you use your Web browser.

ftp://athena-dist.mit.edu/pub/kerberos
An alternate site for all of the software is ftp://prep.ai.mit.edu/pub/kerberos.
3. In the /pub/kerberos directory, get the README.KRB5 file:
4. Read the file to find out the name of the directory containing the code (it changes periodically)

For me, this was dist/961209, but it may have changed. You must go to this directory in one step!
ftp://athena-dist.mit.edu/pub/kerberos/dist/961209
5. Retrieve all the files (in binary!). The .asc files are the digital signatures for the corresponding files so that you can ensure that they have been unchanged.
6. gunzip all the files and extract them. If you do not have gunzip, you can obtain it from the same place:

ftp://athena-dist.mit.edu/pub/gnu/gzip-1.2.4.tar

Do you need more code?

To properly build the C compiler (gcc), you will first need to get and install bison and the gnu assembler (as). The assembler is found in the binutils package. Without the gnu assembler, I obtained numerous warnings during the compilation procedure, all of which disappeared when the gnu as was used. You might also be more successful if you use the gnu make facility. If you do not have a C library on your machine, you will also need to obtain glibc from the gnu distribution (this should NOT be necessary on a UNIX machine). For debugging, obtain the gnu debugger, gdb.

It will probably take an afternoon to build all of these tools. In each case, installation is fairly straight forward. As root, gunzip and untar each of the above .tar.gz files and switch into the program's root directory, which is always the utility name followed by the release number. To be safe, read the INSTALL file or README file if the former does not exist. You can use gzcat to save disk space by doing both of these steps at once:

gzcat filename.tar.gz | tar -xpf -

Building the gnu tools

1. Create the Makefile by running

./configure
2. Make the program by doing

make
3. Install the utilities in /usr/local/bin by doing

make install

Building the gnu C compiler

1. In the gcc_version directory, run

./configure --with-gnu-as
2. Build the stage 1 compiler. Just type make LANGUAGES=c in the compiler directory. This will take some time.
3. Copy the initial compiler build into the stage1 subdirectory by typing

make stage1
4. Copy the gnu assembler into the stage1 directory. For example,

cp /usr/local/bin/as ~/gnu/gcc-2.7.2.1/stage1/as
5. Compile the compiler with itself to make the stage 2 compiler.

make CC="stage1/xgcc -Bstage1/" CFLAGS="-g -O2" LANGUAGES="C C++"
If you do not wish to have a C++ compiler, just use LANGUAGES="C".
6. Finally, to be safe, test the compiler by compiling it with itself one more time. Install any other necessary GNU tools (such as the gnu assembler or the GNU linker) in the `stage2' subdirectory as you did in the `stage1' subdirectory, then

make stage2
make CC="stage2/xgcc -Bstage2/" CFLAGS="-g -O2"
This is called making the stage 3 compiler. Aside from the `-B' option, the compiler options should be the same as when you made the stage 2 compiler. But the `LANGUAGES' option need not be the same. The command shown above builds compilers for all the supported languages; if you don't want them all, you can specify the languages to build by typing the argument `LANGUAGES="LIST"', as described above.
7. You can compare the stage2 and stage 3 compilers (they should be identical) by running

make compare
However, I have had no luck doing this. The two stages are always quite different on my machine.
8. Install the compiler driver, the compiler's passes and run-time support with `make install'. Use the same value for `CC', `CFLAGS' and `LANGUAGES' that you used when compiling the files that are being installed. One reason this is necessary is that some versions of make have bugs and recompile files gratuitously when you perform this step. If you use the same variable values, those files will be recompiled properly.

For example, if you have built the stage 2 compiler, you can use the following command:
make install CC="stage2/xgcc -Bstage2/" CFLAGS="-g -O" LANGUAGES="C C++"
This should copy the files `cc1', `cpp' and `libgcc.a' to files `cc1', `cpp' and `libgcc.a' in the directory `/usr/local/lib/gcc-lib/TARGET/VERSION', which is where the compiler driver program looks for them. Here TARGET is the target machine type specified when you ran `configure', and VERSION is the version number of GNU CC. This naming scheme permits various versions and/or cross-compilers to coexist. This step also copies the driver program `xgcc' into `/usr/local/bin/gcc', so that it appears in typical execution search paths.

install-normal: install-common $(INSTALL_HEADERS) $(INSTALL_LIBGCC) \
install-libobjc install-man lang.install-normal install-driver

to eliminate install-info from the second line. Then gcc was successfully installed! 

Compiling Kerberos

It is also good to get advice from experts. So, obtain the README file from Doug Engert's ftp site at Argonne National Laboratory:

ftp://achilles.ctd.anl.gov/pub/kerberos.v5/README

For example, for my HP-UX 10 system, Doug suggests many options in the configure command:

../src/configure --with-cc=gcc \
--with-ccopts="-O " --prefix=/krb5\
--with-cppopts='-DANL_DCE -DAFS524 '

The prefix option places the resulting source into the directory /krb5 rather than the default. In general, I had much better success getting configure to work properly if I put the --prefix command near the beginning of the configure argument string rather than at the end. It shouldn't make any difference, but it did.

For Solaris 2.6 I used the Sun c89 compiler and make (no gnu utilities) and had no problems at all. I used the configure command:

../src/configure --with-cc=c89 \
--enable-shared \
--with-ccopts="-O "\
--with-cppopts="-DANL_DCE -DANL_AFS_PAG -DANL_DFS_PAG -DAFS524 -DNO_MOTD "\
--prefix=/krb5

For AIX 3.2.x, I had the IBM ANSI compiler, but the build only worked if I used --with-cc=cc as opposed to xlc or c89. On this platform, all components built properly with the configure command:

../src/configure --with-cc=cc \
--with-ccopts="-O " \
--with-cppopts='-DANL_DCE -DAFS524 '\
--prefix=/krb5

For AIX 4.1.3, I used the IBM (cc) compiler and the configure command:
../src/configure --with-cc=cc --prefix=/krb5 \
--with-cppopts='-DANL_DCE -DAFS524 -ULOGIN_CAP_F '

For AIX 4.2 with the IBM C/C++ compiler, configure would not work unless I used the command:
../src/configure --with-cc=cc --prefix=/krb5 \
--with-cppopts='-DANL_DCE -DAFS524 -ULOGIN_CAP_F '

However, make will fail in the /src/util/pty directory unless you edit the Makefile to remove the two switches -DHAVE_SETUTXENT=1 -DHAVE_UTMPX_H=1
Having both utmp.h and utmpx.h included causes the utmp structure to be multiple defined, and the definition in utmpx is not the one that is needed.

 The code for the telnetd will not compile because the include in the file src/appl/telnet/telnetd/termios-tn.c is incorrect. Change #include <termios.h>
to #include <sys/termio.h>

For all platforms

1. In the /krb5-1.0/src directory, run the above configure command.
2. Make the code by doing

make
in the src directory.
If you are using the GNU make, and have renamed it to gmake, use the command
gmake MAKE=gmake
3. Install Kerberos using

make install
(or  gmake MAKE=gmake install)
which puts the code into /krb5, as specified by the prefix option in configure.

Configuring the Kerberos kdc

Create the configuration files

Edit these files to reflect your Kerberos domain instead of mine (dsdoe.ornl.gov).

Create the Kerberos databases

/krb5/sbin/kdb5_util create -r dsdoe.ornl.gov -s
Initializing database '/krb5/lvar/krb5kdc/principal' for realm 'dsdoe.ornl.gov',
master key name 'K/[email protected]'

You will be prompted for the database Master Password. It is important that you NOT FORGET this password.

Enter KDC database master key:
your_master_key
Re-enter KDC database master key to verify:
your_master_key

Replace our domain name with yours. The -s creates a stash file which is used to authenticate the KDC to itself.

Create an administrator kadm5.acl file following the instructions in the Kerberos manual. Put it in the location specified in the 'acl_file =' section of kdc.conf.

Add your administrator(s) to the KDC database as per the manual

 /krb5:738: sbin/kadmin.local
kadmin.local: addprinc admin/[email protected]
Enter password for principal "admin/[email protected]": your_password
Re-enter password for principal "admin/[email protected]": your_password
Principal "admin/[email protected]" created./krb5/sbin/kadmin.local

Create the keytab file on the server. kadmind uses this to determine what access it should give to administrators. The manual is wrong here. Stay in kadmin.local and give the command:

kadmin.local: ktadd -k /krb5/var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/krb5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/krb5/var/krb5kdc/kadm5.keytab.
kadmin.local: quit

Edit the /etc/services file to include the following kerberized servcies. This list shows all the available servcies. Your key server should only have the uncommented lines on the key server machine. The other services are used for Kerberized hosts.

# # Kerberos (Project Athena/MIT) services
#
#kerberos 88/udp kdc # Kerberos 5 kdc
#kerberos 88/tcp kdc # Kerberos 5 kdc
#klogin 543/tcp # Kerberos rlogin -kfall
#kshell 544/tcp krcmd # Kerberos remote shell -kfall
krb5_prop 754/tcp # Kerberos v5 slave propagation
kerberos-adm 749/tcp # Kerberos v5 admin/chpwd
kerberos-adm 749/udp # Kerberos v5 admin/chpwd
#eklogin 2105/tcp # Kerberos encrypted rlogin -kfall
kpasswd 761/tcp kpwd # Kerberos "passwd" -kfall
#ktelnet 545/tcp # Kerberized telnet v4/v5
#kftp-data 546/tcp # Kerberized ftp data V5
#kftp 547/tcp # Kerberized ftp v5
#

Start the Kerberos key servers

/krb5/sbin/krb5kdc
/krb5/sbin/kadmind

If you want the two servers to start up automatically when your kdc machine is rebooted, you need to add them to your rc.local, inittab, or init.d or whatever your system uses to start processes at boot time.

Getting the kadmin demon to work

kadmin: Client not found in Kerberos database while initializing kadmin interface

To be able to use the kadmin interface, you need to register yourself as a database administrator.

On the KDC machine, in kadmin.local add an administrator role for yourself:

kadmin.local: addprinc jar/[email protected]
Enter password for principal "jar/[email protected]": your_password
Re-enter password for principal "jar/[email protected]": your_password
Principal "jar/[email protected]" created.
kadmin.local: quit

Now, on a remote machine (on which you have also installed Kerberos), you can get a ticket as an administrator.

 dsrocf:/krb5/bin: ./kinit jar/admin
Password for jar/[email protected]: your_password
dsrocf:/krb5/bin: ./klist

Now you can check to see that you have the correct ticket
Ticket cache:

/tmp/krb5cc_0
Default principal: jar/[email protected]
Valid starting Expires Service principal
18 Dec 96 14:13:52 19 Dec 96 00:13:26 krbtgt/[email protected]

NOTE: This HP-UX machine has DCE clients installed as part of the operating system. BE SURE TO USE THE PROGRAMS IN THE /krb5 DIRECTORY TREE. THE DCE VERSIONS ARE NOT COMPATIBLE WITH KERBEROS V5.

Now you can access kadmin on the Kerberos server (dsroc3) from dsrocf.

dsrocf:/krb5/sbin:409: ./kadmin
Enter password: your_password
kadmin:

Tip

A very easy way to see whats going wrong is to use strace. You can see what the program is trying to do and where it fails. To use strace on kadmin for example: strace kadmin.