Why enable Kerberos on your system?

Convenience and security. With Kerberos, a single login grants access to all NetBSD web services. Configuration is easy and you only have to do it once (sometimes less).

NetBSD

NetBSD needs to be configured to prevent Kerberos from being used to log into your system, and then to enable Kerberos.

  1. Either disable Kerberos auth for sshd, login, etc. in /etc/pam.d, or tell your relevant services not to use PAM.

    /!\ Disabling KerberosAuthentication in /etc/ssh/sshd_config does NOT prevent sshd from invoking pam_krb5.so and prompting for a Kerberos password -- oops. Since you probably do not have a host key in the realm NETBSD.ORG you have little to fear from ssh's KerberosAuthentication method -- nothing can get tickets to use your machine, because there is no host instance for your machine shared between the NetBSD kerberos server and your local keytab. So, the bottom line: turn off UsePAM for sshd or adjust your PAM configuration; don't worry about KerberosAuthentication or GSSAPIAuthentication in sshd itself.

  2. Create /etc/krb5.conf containing only the line [libdefaults].

NetBSD will now autodiscover and uses the NETBSD.ORG KDC as defined in DNS. To use Kerberized TNF services, log in with your Kerberos password:

$ kinit <username>@NETBSD.ORG

The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!

Mac OS X

OS X autodiscovers and uses the NETBSD.ORG KDC as defined in DNS. To use Kerberized TNF services, log in with your Kerberos password:

$ kinit <username>@NETBSD.ORG

The right-hand side is a Kerberos realm, not a DNS domain. Case is significant!

A Keychain.app trick

To pop up a GUI password dialog:

$ kinit <username>@NETBSD.ORG </dev/null

Check "Remember this password in my keychain" to make future Kerberos logins (sans input redirection) prompt-free.

Storing the Kerberos Password in Your Keychain

Let us say you have an account "bob" on the realm "NETBSD.ORG" with password "mypasswd". Then in a Terminal type on one single line

security add-generic-password -a "bob" -l "NETBSD.ORG (bob)" -s "NETBSD.ORG" -w "mypasswd" -c "aapl" -T "/usr/bin/kinit"

This will create an item in your default Keychain named "NETBSD.ORG (bob)" with your Kerberos credentials and kinit it will be authorized to access it. You can add as many -T "/fulpath/program" switches as you want, each will give access to the specific program to use your kerberos credentials. For example -T "/Applications/Mail.app/Contents/MacOS/Mail" will add access for Mail.app.

More details with man security.

After that kinit bob@NETBSD.ORG will not prompt you for a password but will get it from the keychain.

(This tip is orignally from superuser.com)

Windows XP

Windows does not provide an easy way to configure and use KDCs different from the one embedded into an Active Directory.

Therefore, to use Kerberos, you should follow the following steps:

  1. Download the MIT Kerberos for Windows installer. It is composed of different tools traditionally found with Kerberos distributions, like kinit(1) or klist(1) , and a Network Identity Manager, an application used to manage credential caching of Kerberos tickets.

  2. Install the package. Use the default provided options, then restart the computer.

  3. The Network Identity Manager (PDF) should automatically start when you login. As there is no principal currently configured, it should open a dialog box to obtain the new credentials.

  4. Enter your principal:

    Username: Realm: NETBSD.ORG

  5. Click Ok. After a few seconds, it should obtain the TGT for you from the NETBSD.ORG KDC.

Add a comment