Article Discussion Edit this page History

Kerberos/Authentication on Linux

1 Required Software
- 1.1 Gentoo
2 Configuration
- 2.1 krb5.conf
- 2.2 PAM Configuration
  - 2.2.1 Location of PAM Stack

[edit] Required Software

[edit] Gentoo

Install the required software by running

emerge pam_krb5

mit-krb5 is a dependency of pam_krb5 and will be installed if it isn't already.

[edit] Configuration

[edit] krb5.conf

Your krb5.conf file (usually /etc/krb5.conf) needs to be configured to connect to the Case Kerberos server. See Kerberos for a version of this file configured for Case's environment.

Test the configuration by running:

kinit abc123

where abc123 is your Case network username. If you properly enter your password and everything works, the program won't print an error message.

[edit] PAM Configuration

You need to insert the kerberos PAM module into the PAM authentication stack. To provide authentication against Kerberos, add the following:

auth       sufficient   pam_krb5.so try_first_pass

To force authentication against the kerberos server, add

auth       required     pam_krb5.so try_first_pass

A complete PAM stack for user authentication might look like the following:

auth       required     pam_env.so
auth       sufficient   pam_krb5.so try_first_pass
auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_deny.so

This stack will first check the password for a user against the Case Kerberos server. If it fails, it will check against the local /etc/shadow file.

If you wish to place the Kerberos module as a fallback authentication module, you need to change the try_first_pass parameter to use_first_pass or the user will be prompted a second time for a password.

Optionally, you can plug the kerberos module into PAM for password changing so any time a password is changed on the machine, your Case network ID password will change as well. This is much easier than doing it online!

password   sufficient   pam_krb5.so use_authtok

A complete PAM password stack might look like the following:

password   required     pam_cracklib.so retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_krb5.so use_authtok
password   required     pam_deny.so

[edit] Location of PAM Stack

The aforementioned configuration settings need to added to files that are normally located in /etc/pam.d/ or similarly named location. For Gentoo, the file that needs to be edited is /etc/pam.d/system-auth

Retrieved from "http://wiki.case.edu/Kerberos/Authentication_on_Linux"

Categories: Kerberos | Linux

Computers
Computers > Operating Systems > Linux
Departments > ITS
Security Training > Password Safe Usage Documentation > Security Training
Sensitive Data Self Assessment > Computer Security > Kerberos
Services > IT Services > ITS Services

This page has been accessed 17,435 times.
This page was last modified 14:15, January 3, 2006 by Gregory Szorc.
About | Disclaimers

Case Wiki

Navigation

Search

Toolbox