Skip to content Skip to navigation

Stanford Kerberos Authentication with Ubuntu

Posted by: 
Topics: 

Kerberos Authentication with Ubuntu

This howto is for Stanford System Administrators. It allows users with SUnet IDs as well as local user accounts to log into Stanford University hosted Ubuntu servers.

  • Tested with Ubuntu Server 9.04. This does not work for 9.10 due to the package libkrb53 becoming obsolete.
  • Instructions from http://www.stanford.edu/services/kerberos/install/debian.html
  • If you skip the instructions do this.
  • Create the krb5.conf file under /etc/krb5.conf. I pasted the file below, but it can be found on the Leland servers.

# /etc/krb5.conf -- Kerberos V5 general configuration.
# $Id: krb5.conf 12503 2009-01-10 13:55:13Z rra $
#
# This is the standard Kerberos v5 configuration file for all of our
# servers. It is based on the Stanford-wide configuration, the canonical
# version of which is in /usr/pubsw/etc/krb5.conf.
#
# This configuration allows any enctypes. Some systems with really old
# Kerberos software may have to limit to triple-DES and DES.

[appdefaults]
default_lifetime = 25hrs
krb4_get_tickets = false
krb4_convert = false
krb4_convert_524 = false
krb5_get_tickets = true
krb5_get_forwardable = true

.... "removed for security reasons. Log into a Leland server and look for the file listed under /etc/krb5.conf"

[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE

  • sudo apt-get install krb5-user krb5-clients
  • If it ask you to configure it, click cancel.
  • Now it time to test Kerberos.
    • Type kinit SUnetID. Enter your SUnet Password when prompted
    • Type klist Check to if your ticket is listed.
  • Creating A keytab
    • http://www.stanford.edu/services/kerberos/sysadmin/wallet.html
    • If there is an error with wallet-client: Depends: libremctl1 (>= 2.10)
    • Use aptitude and not apt-get
    • After you create the keytab type wallet -f keytab.host.ServerName get keytab host/ServerName.stanford.edu move it and rename it to /etc/krb5.keytab. It should only have 600 permissions.
    • Type chmod 600 /etc/krb5.keytab
  • Test that Kerberos is working again before moving to the PAM configurations

PAM

Edit /etc/ssh/sshd_config and add

GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes

  • Also check if the line UsePAM yes is listed under /etc/ssh/sshd_config
  • Edit these files under /etc/pam.d/

common-account

account sufficient pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] pam_ldap.so
account required pam_krb5.so

common-auth

auth sufficient pam_unix.so try_first_pass nullok_secure
auth [success=ok default=die] pam_krb5.so use_first_pass forwardable

common-krb5

auth sufficient /lib/security/pam_krb5.so use_first_pass

common-password

password required pam_unix.so nullok obscure min=4 max=8 md5

common-session

session optional pam_krb5.so
session required pam_unix.so

Troubleshoot

  • Check /var/log/auth.log for errors