Wednesday, November 21, 2012

Testing Kerberos in Ubuntu

In fixing a LightDM bug recently I needed to set up Kerberos authentication for testing. Now, Kerberos comes with quite a reputation for complexity so this was not a task I was looking forward to. And googling around to get some simple Ubuntu instructions only ended up confirming my expectations. But in the end, I was able to get it to work [1] and here is what I did. You should probably not rely on this information for an actual Kerberos implementation.

I start with two machines running Ubuntu, one as the Kerberos server [2] and one as a client. The client is already installed with a user account called test.

Server configuration


Edit /etc/krb5.conf to set the default realm [3]:
 
[libdefaults]
default_realm = TEST

Install the Kerberos server:

$ sudo apt-get install krb5-kdc krb5-admin-server

Create the realm. You will be prompted for a master password for the realm:

$ sudo krb5_newrealm

Add a new user (called a principal in Kerberos language) into the realm with the same username as on the client. You will be prompted for a password for this user [4]:

$ sudo kadmin.local
kadmin.local:  add_principal test


And now the server should be running. You can check things are working by watching the log:

$ tail -f /var/log/auth.log

Client configuration


The client is a lot easier, as the packages do most of the work for you:

$ sudo apt-get install krb5-user

You will be prompted for the following information:
  • Set "Default Kerberos version 5 realm" to TEST
  • Set "Kerberos server for your realm" to address / hostname of your server
  • Set "Administrative server for your Kerberos realm" to address / hostname of your server
Now you can test by getting a ticket [5] from the server. You will be prompted for the password you set when running kadmin.local on the server:

$ kinit
$ kdestroy


If that worked then you're ready to go. Have a look at the auth.log on the sever if it didn't work (the error messages are a bit cryptic though).

The next step is to setup PAM [6] to allow authentication with Kerberos. There's no configuration required, just install it:

$ sudo apt-get install libpam-krb5

Now you can log into your client machine (e.g. from LightDM/Unity Greeter) using the Kerberos password you setup on the server. Remember if something went wrong you can still use the local password to get in [7].

The reason I set all this up was to test Kerberos accounts which need password changes. You can control this feature from the server using the following:

$ sudo kadmin.local
kadmin.local:  modify_principal +needchange test



[1] on Ubuntu 13.04 (server) and 12.04 (client). I don't know which other combinations will work.
[2] Called a Key Distribution Centre in Kerberos jargon.
[3] Kerberos calls different authentication domains realms. I've used the realm TEST though in proper usage this would be a domain name e.g. EXAMPLE.COM to avoid name collision.
[4] You will already have a password set for this user on the client machine. Pick a different password as this allows you log in with either Kerberos or local passwords - both passwords will work.
[5] A ticket is the name for an authentication token provided by the server. In a real implementation this ticket will allow you to access services without re-entering your password.
[6] PAM is the library that does authentication when logging into Ubuntu.
[7] The PAM configuration that the packages setup first tries your password with the Kerberos server, then the local passwords (/etc/shadow) if that fails.

2 comments:

Stef said...

Using pam-krb5 without 'joining' the machine to the domain (ie: getting a keytab) and verifying received tickets opens the machine up to a pretty trivial 'log-in-as-anybody' attack.

That's sorta complicated to setup on your own, but good news:

You can use FreeIPA and sssd to do this in a much better fashion. Both are available on Ubuntu.

In fact you can also use the new XDG realmd project to join stuff to the domain really simply.

Stef said...

Unfortunately just using pam-krb5 like that will open your machine up to a pretty trivial 'log-in-as-anybody-anytime-you-want' attack. Happy to go into details if you want.

To use kerberos accounts to log in locally the machine must be 'joined' to the realm (ie: have a keytab), and the tickets received must be verified.

It's possible to do the above with pam-krb5 but it's a pain.

Instead if you use FreeIPA and sssd this sort of stuff happens by itself. Both are available on Ubuntu too.

I also started a new project realmd which makes deploying sssd, getting the keytab etc really trivial. Doing a bit of work on it today to make sure it works well on Ubuntu.