Installing Fermi Kerberos on a UNIX System
Intended for:
UNIX system administrators.
Scenario/Use case:
This article provides instructions for installing Kerberos on a UNIX machine and for installing Kerberized ssh, as the combination works very well.
Note: For instructions on how to install Kerberos on a Linux machine, see Installing Fermi Kerberos on a Linux System.
Instructions:
Before You Install Kerberos
Obtain a Kerberos Principal
Strictly speaking, you don't need a Kerberos principal to just install the software. It will be difficult to judge your results without one, however. You'll need to get a principal (plus an initial password) to have access to the FNAL.GOV realm. See section Your Kerberos Principal for information. Use the online form Computing Username and Primary Accounts in the Service Catalog of ServiceNow.
Create an Account that Matches your Principal
We strongly recommend that you create an account/login name on the machine that matches the "primary" (the username part) of your user principal. See section If your Principal and Login Name do not Match in More about Choosing a Principal Name. Note that even if your login name and principal don't match you can still log into your machine at the console after it's Kerberized, as long as your UNIX password is there.
Understand your Installation Options
Kerberos (either the MIT or the Heimdal) version is available for almost all UNIX systems and Linux distributions. You can download MIT Kerberos in a variety of formats (including sources) from the Web and install it. See Installing Kerberos on a non-Fermi-Supported Linux System.
You will also need the Fermilab Kerberos configuration file, see The Kerberos Configuration File: krb5.conf.
The Fermilab Kerberos environment runs the MIT version. To minimize compatibility issues, if a MIT distribution exists for your operating system, the MIT distribution is highly recommended.
Install Kerberized SSH (Recommended)
Using Kerberized ssh with Kerberos in fully strengthened mode simplifies several operations that can cause extra work in a non-ssh installation. Most importantly, ssh can be configured to always provide encrypted connections. Also, you get X11 connection forwarding so that you don't have to set the $DISPLAY variable, and the X11 connections are encrypted.
You can find information on the OpenSSH configuration as used at Fermilab in the Kerberized OpenSSH Installation and Configuration section of the note on Kerberos for Fermilab Linux.
Do you Need to Allow Incoming Kerberos Connections?
If you plan to log in to your machine over the network and/or offer services, your machine must allow incoming Kerberos connections (including portal mode connections). In this case, you must get a service principal for the host, and one for FTP if that is an offered service. These service principal names are of the form host/<full.node.name> and ftp/<full.node.name> (e.g., host/mynode.fnal.gov and ftp/mynode.fnal.gov, or for off-site nodes, something like host/mynode.myuniv.edu and ftp/mynode.myuniv.edu, according to your institution's domain). We also recommend that you get a fixed IP address.
If you need host and ftp principals, first register yourself in the database of system administrators.This is part of the System Registration form, be sure to fill out the primary system administrator information. Check your system administrator information in the System Administrator Database.
Before installing Kerberos on a machine the first time, request the host-specific service principals (plus initial passwords) for that machine, using the form at ServiceNow Service Catalog: Accessing Kerberized Machines. You will need to provide the full hostname of the machine. Later, you will need to install the hostkeys that you receive; see section Installing Service Host Keys.
Notes:
- For a machine with two or more active (static) IP addresses or multiple node names, see section Multiple IP Addresses or Node Names.
- If you are reinstalling kerberos on a machine, you should keep the same host and FTP principals. If the krb5.keytab is not lost, there's nothing you have to do for these principals. If it is lost, contact compdiv@fnal.gov to get passwords reset on the principals.
If you don't intend to allow incoming connections, don't request these service principals, and just answer "no" when asked if you have the passwords for them during installation of the kerberos product. You can request and install them at a later date, if needed. For instructions on doing so, see the section on Installing Service Host Keys.
Synchronize your Machine with Time Server
When using Kerberos, the client and server must be time-synchronized with each other, each in its local time zone. A wrong system clock is the single most common authentication problem (it typically appears as a "preauthentication failed" message). Use the command date -u to check the date/time that really counts. Kerberos is configured to allow a discrepancy of five minutes. xntp is a product that you can install on your machine to maintain the system time in agreement with Internet standard time servers.
Determine Kerberos Access Mode(s)
Before installing you must first determine whether you want kerberos configured in fully strengthened mode, in mixed mode (Kerberos plus ssh), or in a customized mode.
Fully Strengthened Mode (Kerberos Only)
This mode enables only Kerberized access to the node. This includes Kerberized ssh. It disables all non-Kerberized means of accessing the node. This is the mode all on-site Kerberized systems are obliged to choose.
Mixed Mode (Kerberos plus SSH)
This mode enables Kerberized access to this node, does not disable any existing non-Kerberized ssh access to the node, but disables all other non-Kerberized means of accessing the node. This mode is incompatible with Kerberized ssh.
For ON-SITE SYSTEMS, this mode is not in compliance with the Computing Policy, and thus is NOT ALLOWED.
Other
If neither of these configurations applies, read the file README.INSTALL.DETAILS which describes all of the possible installation options in detail.
This is recommended only for experts.
See Also: