This site requires JavaScript to be enabled

Installing Kerberos on a non-Fermi-Supported Linux System

51 views

3.0 - Updated on 2021-02-24 by Brittany Bossarte

2.0 - Updated on 2021-02-23 by Carlos Salazar (Inactive)

1.0 - Authored on 2014-05-01 by Fang Wang

Installing Kerberos on a non-Fermi-Supported Linux System

 

Intended for:

Linux system administrator.

 


Scenario/Use case:

This article provides instructions on how to Kerberize a machine running a Linux OS other than Red Hat or Scientific Linux. The instructions provided here should help Linux users achieve a fully-functional Kerberos implementation usable at Fermilab. For reference, see also Installing and Configuring Kerberos on a Fermilab Linux System.

The Computing Sector does not support these types of installations explicitly, but you can request help on the linux-users@fnal.gov mailing lists (and usually obtain useful help).

 


Instructions:

Before You Install Kerberos

Obtain a Kerberos Principal

Strictly speaking, you don't need a Kerberos principal to just install the software. It will be difficult to judge your results without one, however. You'll need to get one (plus an initial password) to have access to the FNAL.GOV realm. See section Your Kerberos Principal for information. Use the online form Computing Username and Primary Accounts in the Service Catalog of ServiceNow.

Do you Need to Allow Incoming Kerberos Connections?

For any machine on which services will be offered and which therefore must allow incoming Kerberos connections (including portal mode connections) you must get a service principal for the host. An FTP principal can be requested if that is an offered service that is being used but FTP is no longer needed on machines. These service principal names are of the form host/<full.node.name> and ftp/<full.node.name> (e.g., host/mynode.fnal.gov and ftp/mynode.fnal.gov, or something like host/mynode.myuniv.edu and ftp/mynode.myuniv.edu, depending on your institution's domain).

Before installing Kerberos on a machine the first time, request these host-specific service principals (plus initial passwords) for that machine, using the form at the ServiceNow Service Catalog: Additional Kerberos Items. You will need to provide the fully qualified hostname of the machine.

Notes:

If you don't intend to allow incoming connections, don't request these service principals. You can request and install them at a later date, if needed (see section Installing Service Host Keys).

Create an Account that Matches your Principal

We strongly recommend that you create an account/login name on the machine that matches the "primary" (the username part) of your user principal. See section If your Principal and Login Name do no Match under section More About Choosing a Principal Name. Note that even if your login name and principal don't match you can still get into your machine (console) after it's Kerberized, as long as your UNIX password is there.

Synchronize your Machine with Time Server

When using Kerberos, the client and server must be time-synchronized with each other, each in its local time zone. A wrong system clock is the single most common authentication problem (it typically appears as a "preauthentication failed" message). Kerberos is configured to allow a discrepancy of about five minutes. 

Installing Kerberos

Virtually all Linux distributions have Kerberos available. You need to install the basic Kerberos functionality from your Linux distribution's repositories and installation packages. In addition to the Kerberos utilities and clients, you will need the Fermilab Kerberos Configuration File: krb5.conf. This note contains details on the contents of the Fermilab krb5.conf as well a instructions on where to obtain a copy for your installation.

If your Linux distribution can handle RPM (RedHat Package Manager) installation files, see Installing and Configuring Kerberos on a Fermilab Linux System for some helpful information.

In addition to the basic Kerberos libraries and utilities, you will also want to install Kerberized OpenSSH (basically any version of OpenSSH newer than or equal to 3.9) for your Linux Distribution. You can find information on the OpenSSH configuration as used at Fermilab in the Kerberized OpenSSH Installation and Configuration section of the note on Kerberos for Fermilab Linux.

 


See Also: