NetBSD Wiki/tutorials/ kerberos services

How to set up Kerberos authentication in network services

Your organization has a Kerberos realm EXAMPLE.COM, or you set one up. You operate a service such as ssh, SMTP/IMAP/POP, or a web site. How do you kerberize the service to let users authenticate with Kerberos single sign-on instead of juggling passwords?

The answer will vary from service to service, and may sometimes be phrased in terms of GSS-API, but it will always have three parts:

  1. Determine the service's principal name, based on the protocol, the service's hostname, and the realm name.

    For example, IMAP uses imap/hostname. So if your users are connecting to the IMAP host imap.example.com, the service principal name will be imap/imap.example.com (or imap/imap.example.com@EXAMPLE.COM if fully qualified with a realm name).

  2. Get a key for the service principal from the Kerberos KDC using kadmin(8): first kadmin add to generate a key for the service principal, and then kadmin ext to extract it into a keytab.

    The key is a secret shared between the service and the KDC. Anyone who knows the key can spoof the service, so you must keep it secret.

  3. Put the keytab in a file readable by the server software, for example /etc/dovecot/dovecot.keytab, and point the software at the keytab and service principal name.

    Some software that uses GSS-API will instead use the GSS-API spelling of a service principal name. For example, IMAP uses IMAP@hostname, and HTTPS uses HTTP@hostname. The realm name is omitted and must be determined separately, either by setting a default realm or domain-to-realm mapping in krb5.conf(5), or by creating _kerberos.host TXT records with the realm name in the DNS.

  1. sshd
  2. postfix (submission)
  3. apache2 (HTTPS)
  4. nginx (HTTPS)

sshd

sshd(8) uses service principal names of the form host/hostname (not ssh/hostname).

sshd(8) always uses the default system keytab at /etc/krb5.keytab (or wherever it has been set as default_keytab_name in krb5(5)).

XXX .k5login, aname2lname/auth_to_local mapping

XXX warn against pam_krb5

postfix (submission)

XXX SASL GSSAPI, via dovecot/cyrus SASL

apache2 (HTTPS)

HTTP/hostname

XXX mod_auth_gssapi (or legacy mod_auth_kerb)

XXX reverse-proxy remote-user

nginx (HTTPS)

HTTP/hostname

XXX spnego-http-auth-nginx-module? https://github.com/stnoonan/spnego-http-auth-nginx-module

XXX reverse-proxy remote-user

Add a comment
Last edited at lunch time on Wednesday, August 23rd, 2023
Preferences | Logout