Installing and Configuring Kerberos on a Fermilab Linux System
Intended for:
Linux system administrator.
Scenario/Use case:
This article describes Kerberos and Linux at Fermilab. The supported Linux distribution at Fermilab is Scientific Linux 7 (SL7). CentOS 8 is also supported. Both are derived from Red Hat Enterprise Linux (RHEL).
For your reference, the Fermilab Linux pages are available at https://scientificlinux.org/at-fermilab/. Be aware that Scientific Linux comes with most Kerberized network services turned off.
Instructions:
Kerberos and Linux
All modern Linux distributions include Kerberos utilities and libraries, therefore Fermilab no long supplies a complete Kerberos package. Instead, Fermilab supplies a set of RPM packages for Red Hat distributions that customize and extend Kerberos as it comes from Red Hat.
Basic Linux Kerberos Installation
Basic Kerberos for end-user client systems is provided in a pair of RPM packages providing the basic Kerberos utilities (krb5-workstation) and libraries (krb5-libs). These are automatically installed in SLF and can be installed (using yum) otherwise by doing:
yum install krb5-libs
yum install krb5-workstationFor 64-bit Linux installations, the 32-bit Kerberos libraries should be installed as they will be needed by components of the Fermilab add-on packages:
yum install krb5-libs.i686
Fermilab Kerberos Packages
The Fermi Kerberos RPM packages, automatically installed in SL7, provide the configuration of Kerberos for the Fermilab environment and additional utilities:
fermilab-conf_kerberos Provides base for Fermi-ized Kerberos, ensures the packages necessary for the traditional use of the FNAL kerberos realm are installed
Follow Same Pre-install Steps as for UNIX
Obtain a Kerberos principal
See section Requesting a Principal.
Create an account on the machine that matches your principal
See section Create an Account that Matches your Principal.
Determine if you need to allow incoming Kerberos connections and/or FTP access. If so get a fixed IP and obtain host and service principals and passwords.
See section Do you Need to Allow Incoming Kerberos Connections?.
Synchronize your machine with a time server
See section Synchronize your Machine with Time ServerCreate a Local Account
For individuals who administer their own desktops, we recommend that you create two accounts: one that matches your principal and from which you will authenticate to Kerberos (listed in section Follow Same Pre-install Steps as for UNIX above), and a local account for which the username does not match your principal and which will not be used for Kerberos-related activity. The local account is really just a convenience so that you can always access your machine, even if the network is down or you are not able to access the Kerberos servers. For a local account, its password must adhere to the following three conditions:
- the password hash must be stored locally (no NIS, LDAP, etc.).
- the password cannot be used for network access (restrict to securetty).
- the password cannot contain your Kerberos password and must not be similar to it.
PAM and Passwords for Desktop Environment Applications
A number of applications on Linux (e.g., screensaver, graphical login, console login) use local authentication checks via the PAM libraries.
Servers at Fermilab providing incoming access are recommended to enable PAM using the "UsePAM yes" directive in the sshd_config configuation file. The pam_krb5 RPM packages should be installed to handle Kerberos logins within PAM.
SSH and OpenSSH
If you are running Scientific Linux Fermi, the Fermi OpenSSH client packages is usually already installed (if not, see below). If you are running some other distribution, look for an OpenSSH version 3.9 or later package for your distribution.
Kerberized OpenSSH RPM Installation and Configuration
Log in as root to perform the installations. Follow the instructions below or at the Fermi Linux Kerberos, OpenSSH and other security documentation pages for the OS version you have. Descriptions of the Fermi Kerberos and ssh RPMs can also be found on that page.
For outgoing connections, Kerberized OpenSSH can be installed from root by doing (automatically installed for SLF installations):
yum install openssh
yum install openssh-clients
yum install fermilab-conf_ssh-clientFor SLF 6.x, the zz_fermi_ssh_config package modifies the system-wide default ssh client configuration file /etc/ssh/ssh_config to the Fermilab defaults to use GSSAPI (Kerberos) to access Fermilab systems and to forward X11 back to the client over the ssh connection (tunneled). For SLF 5.x, these configurations are included in the openssh packages. Some of the relevant parameter settings are:
Host 131.225.* *.fnal.gov *soudan.org
Protocol 2
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ForwardX11Trusted yes
ForwardX11 yes
Depending on the version of your ssh client, you might also want to set the parameter GSSAPIKeyExchange.
GSSAPIKeyExchange yes
For incoming connections, Kerberized OpenSSH is installed from root by doing (note, the ssh server is not installed in SLF by default):
yum install openssh-server
yum install zz_fermi_sshd_config (SLF 6 only)For SLF6.x, the zz_fermi_sshd_config package modifies the ssh server configuration file /etc/ssh/sshd_config to Fermilab standards. For SLF 5.x, these configurations are included in the openssh-server package. A sample of the relevant parameter settings for the sshd daemon are:
Protocol 2
RSAAuthentication no
PubkeyAuthentication no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
X11Forwarding yes
Policy requires systems connected to the Fermilab network to allow only Kerberos authentication and for passwords and public keys to be disabled.
See the OpenSSH site for more information and documentation. See the manual pages for ssh_config and sshd_config for details on the configuration parameters.
See Also: