Installing and Configuring Kerberos on a Fermilab Linux System
Intended for:
Linux system administrator.
Scenario/Use case:
This article describes Kerberos and Linux at Fermilab. The supported Linux distribution at Fermilab is Scientific Linux 7 (SL7). CentOS 8 is also supported. Both are derived from Red Hat Enterprise Linux (RHEL).
For your reference, the Fermilab Linux pages are available at https://scientificlinux.org/at-fermilab/. Be aware that Scientific Linux comes with most Kerberized network services turned off.
Instructions:
Kerberos and Linux
All modern Linux distributions include Kerberos utilities and libraries, therefore Fermilab no long supplies a complete Kerberos package. Instead, Fermilab supplies a set of RPM packages for Red Hat distributions that customize and extend Kerberos as it comes from Red Hat.
Basic Linux Kerberos Installation
Basic Kerberos for end-user client systems is provided in a pair of RPM packages providing the basic Kerberos utilities (krb5-workstation) and libraries (krb5-libs). These are automatically installed in SLF and can be installed (using yum) otherwise by doing:
yum install krb5-libs
yum install krb5-workstation
Fermilab Kerberos Packages
The Fermi Kerberos RPM packages, automatically installed in SL7, provide the configuration of Kerberos for the Fermilab environment and additional utilities:
fermilab-conf_kerberos Provides base for Fermi-ized Kerberos, ensures the packages necessary for the traditional use of the FNAL kerberos realm are installed
Follow Same Pre-install Steps as for UNIX
Obtain a Kerberos principal
See section Requesting a Principal.
Create an account on the machine that matches your principal
See section Create an Account that Matches your Principal.
Determine if you need to allow incoming Kerberos connections and/or FTP access. If so get a fixed IP and obtain host and service principals and passwords.
See section Do you Need to Allow Incoming Kerberos Connections?.
Synchronize your machine with a time server
See section Synchronize your Machine with Time ServerCreate a Local Account
For individuals who administer their own desktops, we recommend that you create two accounts: one that matches your principal and from which you will authenticate to Kerberos (listed in section Follow Same Pre-install Steps as for UNIX above), and a local account for which the username does not match your principal and which will not be used for Kerberos-related activity. The local account is really just a convenience so that you can always access your machine, even if the network is down or you are not able to access the Kerberos servers. For a local account, its password must adhere to the following three conditions:
- the password hash must be stored locally (no NIS, LDAP, etc.).
- the password cannot be used for network access (restrict to securetty).
- the password cannot contain your Kerberos password and must not be similar to it.
SSH and OpenSSH
If you are running Scientific Linux Fermi, the Fermi OpenSSH client packages is usually already installed (if not, see below). If you are running some other distribution, look for an OpenSSH version 3.9 or later package for your distribution.
Kerberized OpenSSH RPM Installation and Configuration
Log in as root to perform the installations. Follow the instructions below or at the Fermi Linux Kerberos, OpenSSH and other security documentation pages for the OS version you have. Descriptions of the Fermi Kerberos and ssh RPMs can also be found on that page.
For outgoing connections, Kerberized OpenSSH can be installed from root by doing (automatically installed for SLF installations):
yum install openssh
yum install openssh-clients
yum install fermilab-conf_ssh-clientSome of the relevant parameter settings for ssh are:
Host 131.225.* *.fnal.gov *soudan.org
Protocol 2
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
ForwardX11Trusted yes
ForwardX11 yes
For incoming connections, Kerberized OpenSSH is installed from root by doing (note, the ssh server is not installed in SLF by default):
yum install openssh-server
A sample of the relevant parameter settings for the sshd daemon are:
Protocol 2
RSAAuthentication no
PubkeyAuthentication no
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes
KerberosAuthentication yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
GSSAPIAuthentication yes
GSSAPIKeyExchange yes
GSSAPICleanupCredentials yes
X11Forwarding yes
Policy requires systems connected to the Fermilab network to allow only Kerberos authentication and for passwords and public keys to be disabled.
See the OpenSSH site for more information and documentation. See the manual pages for ssh_config and sshd_config for details on the configuration parameters.
See Also: