One way to help is with Kerberos. Kerberos is an authentication and encryption scheme that allows a user to become "known" by an authenticating server and then use that authentication to access systems and services on the net. The services can then transpire in an encrypted fashion to further secure transactions occurring over the net. The philosophy behind the creation of Kerberos, and a short summary of how it works is available, but here we assume that you know what Kerberos is, and wish to implement a Kerberos domain on your network. But, we also assume that you are not a hot-shot UNIX programmer, so we intend to lead you by the hand in a step-by-step fashion through the entire process. In other words, this is our version of "Kerberos for Dummies."
Several commercial integrators provide enterprise Kerberos solutions as well as technical support and maintenance. In particular, perhaps the easiest way to install Kerberos V5 is to use Kerbnet from Cygnus solutions. Kerbnet is free and has clients for Win32 machines, Macintoshes and Unix hosts, and has KDC software for Unix and NT as well as host servers for Unix platforms.
Check out the MIT Kerberos Web Site for the latest Kerberos release news. Another good source of information is the Kerberos FAQ compiled by Ken Hornstein.
If anyone has questions about using MIT Kerberos 5 tools with
a DCE based KDC, send a message to:
More information on the issues involved in accessing the distributed file systems AFS and DFS from Kerberos are discussed by Doug Engert.
If you use the DCE based KDC, you still need to compile the MIT Kerberos 5 software. But you will not run the MIT Kerberos key server (/krb5/sbin/krb5kdc) or the MIT kadmind server (/krb5/sbin/kadmind).
In these instructions, your typing is shown in italics.
Consider obtaining the Kerbnet code from Cygnus Solutions. This code is prebuilt and well-documented.
To properly build the C compiler (gcc), you will first need to get and install bison and the gnu assembler (as). The assembler is found in the binutils package. Without the gnu assembler, I obtained numerous warnings during the compilation procedure, all of which disappeared when the gnu as was used. You might also be more successful if you use the gnu make facility. If you do not have a C library on your machine, you will also need to obtain glibc from the gnu distribution (this should NOT be necessary on a UNIX machine). For debugging, obtain the gnu debugger, gdb.
It will probably take an afternoon to build all of these tools. In each case, installation is fairly straight forward. As root, gunzip and untar each of the above .tar.gz files and switch into the program's root directory, which is always the utility name followed by the release number. To be safe, read the INSTALL file or README file if the former does not exist. You can use gzcat to save disk space by doing both of these steps at once:
gzcat filename.tar.gz | tar -xpf -
For example, if you have built the stage 2 compiler, you can use the
make install CC="stage2/xgcc -Bstage2/" CFLAGS="-g -O" LANGUAGES="C C++"
This should copy the files `cc1', `cpp' and `libgcc.a' to files `cc1', `cpp' and `libgcc.a' in the directory `/usr/local/lib/gcc-lib/TARGET/VERSION', which is where the compiler driver program looks for them. Here TARGET is the target machine type specified when you ran `configure', and VERSION is the version number of GNU CC. This naming scheme permits various versions and/or cross-compilers to coexist. This step also copies the driver program `xgcc' into `/usr/local/bin/gcc', so that it appears in typical execution search paths.
install-normal: install-common $(INSTALL_HEADERS) $(INSTALL_LIBGCC)
install-libobjc install-man lang.install-normal install-driver
to eliminate install-info from the second line. Then gcc was successfully installed!
It is also good to get advice from experts. So, obtain the README file from Doug Engert's ftp site at Argonne National Laboratory:
For example, for my HP-UX 10 system, Doug suggests many options in the configure command:
../src/configure --with-cc=gcc \
--with-ccopts="-O " --prefix=/krb5\
--with-cppopts='-DANL_DCE -DAFS524 '
The prefix option places the resulting source into the directory /krb5 rather than the default. In general, I had much better success getting configure to work properly if I put the --prefix command near the beginning of the configure argument string rather than at the end. It shouldn't make any difference, but it did.
For Solaris 2.6 I used the Sun c89 compiler and make (no gnu utilities) and had no problems at all. I used the configure command:
../src/configure --with-cc=c89 \
--with-cppopts="-DANL_DCE -DANL_AFS_PAG -DANL_DFS_PAG -DAFS524 -DNO_MOTD "\
For AIX 3.2.x, I had the IBM ANSI compiler, but the build only worked if I used --with-cc=cc as opposed to xlc or c89. On this platform, all components built properly with the configure command:
../src/configure --with-cc=cc \
--with-ccopts="-O " \
--with-cppopts='-DANL_DCE -DAFS524 '\
For AIX 4.1.3, I used the IBM (cc) compiler and the configure
../src/configure --with-cc=cc --prefix=/krb5 \
--with-cppopts='-DANL_DCE -DAFS524 -ULOGIN_CAP_F '
For AIX 4.2 with the IBM C/C++ compiler, configure would not
work unless I used the command:
../src/configure --with-cc=cc --prefix=/krb5 \
--with-cppopts='-DANL_DCE -DAFS524 -ULOGIN_CAP_F '
However, make will fail in the /src/util/pty directory unless you edit
the Makefile to remove the two switches -DHAVE_SETUTXENT=1 -DHAVE_UTMPX_H=1
Having both utmp.h and utmpx.h included causes the utmp structure to be multiple defined, and the definition in utmpx is not the one that is needed.
The code for the telnetd will not compile because the include
in the file src/appl/telnet/telnetd/termios-tn.c is incorrect. Change #include
to #include <sys/termio.h>
For all platforms
Edit these files to reflect your Kerberos domain instead of mine (dsdoe.ornl.gov).
/krb5/sbin/kdb5_util create -r dsdoe.ornl.gov -s
Initializing database '/krb5/lvar/krb5kdc/principal' for realm 'dsdoe.ornl.gov',
master key name 'K/M@dsdoe.ornl.gov'
You will be prompted for the database Master Password. It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
Replace our domain name with yours. The -s creates a stash file which is used to authenticate the KDC to itself.
Create an administrator kadm5.acl file following the instructions in the Kerberos manual. Put it in the location specified in the 'acl_file =' section of kdc.conf.
Add your administrator(s) to the KDC database as per the manual
kadmin.local: addprinc email@example.com
Enter password for principal "firstname.lastname@example.org": your_password
Re-enter password for principal "email@example.com": your_password
Principal "firstname.lastname@example.org" created./krb5/sbin/kadmin.local
Create the keytab file on the server. kadmind uses this to determine what access it should give to administrators. The manual is wrong here. Stay in kadmin.local and give the command:
kadmin.local: ktadd -k /krb5/var/krb5kdc/kadm5.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/krb5/var/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/krb5/var/krb5kdc/kadm5.keytab.
Edit the /etc/services file to include the following kerberized servcies. This list shows all the available servcies. Your key server should only have the uncommented lines on the key server machine. The other services are used for Kerberized hosts.
# # Kerberos (Project Athena/MIT) services
#kerberos 88/udp kdc # Kerberos 5 kdc
#kerberos 88/tcp kdc # Kerberos 5 kdc
#klogin 543/tcp # Kerberos rlogin -kfall
#kshell 544/tcp krcmd # Kerberos remote shell -kfall
krb5_prop 754/tcp # Kerberos v5 slave propagation
kerberos-adm 749/tcp # Kerberos v5 admin/chpwd
kerberos-adm 749/udp # Kerberos v5 admin/chpwd
#eklogin 2105/tcp # Kerberos encrypted rlogin -kfall
kpasswd 761/tcp kpwd # Kerberos "passwd" -kfall
#ktelnet 545/tcp # Kerberized telnet v4/v5
#kftp-data 546/tcp # Kerberized ftp data V5
#kftp 547/tcp # Kerberized ftp v5
If you want the two servers to start up automatically when your kdc machine is rebooted, you need to add them to your rc.local, inittab, or init.d or whatever your system uses to start processes at boot time.
kadmin: Client not found in Kerberos database while initializing kadmin interface
To be able to use the kadmin interface, you need to register yourself as a database administrator.
On the KDC machine, in kadmin.local add an administrator role for yourself:
kadmin.local: addprinc email@example.com
Enter password for principal "firstname.lastname@example.org": your_password
Re-enter password for principal "email@example.com": your_password
Principal "firstname.lastname@example.org" created.
Now, on a remote machine (on which you have also installed Kerberos), you can get a ticket as an administrator.
dsrocf:/krb5/bin: ./kinit jar/admin
Password for email@example.com: your_password
Now you can check to see that you have the correct ticket
Default principal: firstname.lastname@example.org
Valid starting Expires Service principal
18 Dec 96 14:13:52 19 Dec 96 00:13:26 email@example.com
NOTE: This HP-UX machine has DCE clients installed as part of the operating system. BE SURE TO USE THE PROGRAMS IN THE /krb5 DIRECTORY TREE. THE DCE VERSIONS ARE NOT COMPATIBLE WITH KERBEROS V5.
Now you can access kadmin on the Kerberos server (dsroc3) from dsrocf.
Enter password: your_password
A very easy way to see whats going wrong is to use strace. You can see what the program is trying to do and where it fails. To use strace on kadmin for example: strace kadmin.
kadmin: add_principal host/dsrocf.dsdoe.ornl.gov
Enter password for principal "firstname.lastname@example.org":
Re-enter password for principal "email@example.com":
Principal "firstname.lastname@example.org" created.
Then add its keytab entry in the LOCAL (dsrocf) /etc/krb5.keytab file. This process securely shares a secret key to be used for communication between the Kerberized host and the KDC server.
kadmin: ktadd host/dsrocf.dsdoe.ornl.gov
Entry for principal host/dsrocf.dsdoe.ornl.gov with kvno 4,
encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5.keytab.
Repeat this process for every host in your realm.
Finally, you should add the following lines to the end of the /etc/inetd.conf file on each host so that the Kerberos daemons start up automatically when your host is rebooted:
klogin stream tcp nowait root /krb5/sbin/klogind klogind -ki
eklogin stream tcp nowait root /krb5/sbin/klogind klogind -eki
kshell stream tcp nowait root /krb5/sbin/kshd kshd -ki
ktelnet stream tcp nowait root /krb5/sbin/telnetd telnetd -a user
kftp stream tcp nowait root /krb5/sbin/ftpd -a
If you change the inetd.conf file, you must inform the inet daemon to put them into effect. It is done differently on different systems. For example, on AIX run the refresh -s inetd or kill -1 InetdPID command. On HP-UX, use the command inetd -c.
for each host. I had to edit the /etc/hosts file to be sure that the long host name came before the short name.
Both of us had to perform these steps on our KDCs using our secret shared password:
/krb5/sbin/kadmin.local -e des:v4
addprinc -kvno 1 -pw [yourpassword] email@example.com
addprinc -kvno 1 -pw [your password] firstname.lastname@example.org
Next, I had to run kinit (as myself) to get a ticket from my KDC.
dsrocf:/home/jar:7: /krb5/bin/kinit jar
Password for email@example.com:
Then I was able to test to see if I could rlogin to a machine at ANL from ORNL:
/krb5/bin/rlogin caliban.ctd.anl.gov -x -l b17783
Local flow control on
It worked! We can examine the ticket cache to see how this worked.
Ticket cache: /tmp/krb5cc_11192
Default principal: firstname.lastname@example.org Valid starting Expires Service principal
05 Dec 96 16:13:33 06 Dec 96 02:13:33 email@example.com
05 Dec 96 16:14:33 06 Dec 96 02:13:33 firstname.lastname@example.org
05 Dec 96 16:14:40 06 Dec 96 02:13:33 email@example.com
Everyone who has setuid-bits set on these applications is adviced to disable them. The hole allows any user on the system to gain privilegies of any other user including root.
The hole has been successfully tested on kth-kerberos,
but is suspected to
exist on any other versions of kerberos.
Artur Grabowski (administrator on stacken.kth.se)
Serious buffer overrun vulnerabilities exist
in many implementations of Kerberos 4, including implementations included for
backwards compatibility in Kerberos 5 implementations. Other less serious buffer
overrun vulnerabilites have also been discovered. ALL KNOWN KERBEROS 4 IMPLEMENTATIONS
derived from MIT sources are believed to be vulnerable.
ftp://prospero.isi.edu/pub/ssl-krbThe draft (presented at the IETF's Transport Layer Security (TLS) working group meeting, Dec. 1996) proposes the addition of new cipher suites to the TLS protocol (SSL 3.0) to support Kerberos-based authentication. Kerberos credentials are used to achieve mutual authentication and to establish a master secret which is subsequently used to secure client-server communication.
Note: The reference implementation uses MIT's Kerberos V5 beta 6.
The draft and reference implementation are the work of Ari Medvinsky and Matt Hur at the CyberSafe Corporation.
Unfortunately, the CygnusKerbnet version of Kerberos is no longer available.
However, Cygnus offers a PC environment called Cygwin that emulates Unix. The
Kerberos source code has been modified by Vern Staats
to run on Windows 2000 including ssh.
rlogin itself really does not understand realms either, so when you startup an rlogin session, it takes your local UNIX uid, and tries to use it at the remote site. the -l option overrides this, and gives the local UNIX id to use for the rlogind to use. rlogind looks this -l uid up in the local password file getpwent() and finds your home directory. It then looks at the .k5login file to see which Kerberos principals it will allow to use this local uid.
The ability to get an encrypted X session back is a nice feature, as is the ability it use the ticket obtained or forwarded to get a AFS token or DCE context.
The F-Secure program from DataFellows implements SSH on Windows, and can be used with the sshd on a unix system. The F-Secure ssh client on Windows does not currently use Kerberos authentication, but since it does provide an encrypted channel, you can send a Kerberos passsword to the sshd when login in. The encrypted X works here as well.
I have tried Exceed on Windows 95, with F-Secure to a Solaris 2.5 system, running sshd linked with the MIT Kerberos 5-1.0 libs. The system also has AFS and DCE 1.1, and I can get a AFS token and DCE context. It alos works between AIX 4.1.4 and Solaris. Will be testing HPUX 10, SGI 6 and SunOS 4 soon.
See: http://www.cs.hut.fi and http://www.datafellows.com
Douglas E. Engert (DEEngert@anl.gov)
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
To enable Kerberos V5 support when you make ssh, use the following configure
./configure --with-kerberos5=/krb5 --enable-kerberos-tgt-passing
More advice on SSH/Kerberos gotchas.
In addition, the Kerberos rcp command also supports encryption with the -x
option which encrypts all information transferring between hosts. To use
the rcp command, you must either have the same user id on the remote host, or
you must have an entry in the remote host's .k5login file in the destination
user's login directory.
Can I integrate Kerberos with some form of hardware token?
Ken Hornstein at Naval Research Labs has modified the Kerberos distribution to include support for the SecureID card.
Updated: Wednesday, 01-Oct-2003 12:30:20 EDT