Kerberos client functionalities in NetBSD

To: netbsd-users <netbsd-users%NetBSD.org@localhost>
Subject: Kerberos client functionalities in NetBSD
From: Rocky Hotas <rockyhotas%firemail.cc@localhost>
Date: Mon, 10 Feb 2020 16:04:09 +0100

Hi all!
This is not a request or a question, but rather a collection of
notes about Kerberos, for anyone who is interested. I was trying
to configure (for the first time) a NetBSD 8.1 amd64 host as a
Kerberos client.

First, it is worth noting that there is more than one implementation
of Kerberos: MIT and Heimdal are maybe the most common ones. They
should be api-compatible, as I was suggested in the IRC channel
#netbsd.

The implementation of Kerberos natively used in NetBSD is Heimdal:
the base system already includes an essential set of utilities like
kinit(1), klist(1), kadmin(8), ktutil(8). If the MIT Kerberos is
needed, several packages are available in the pkgsrc repository.

Using only the base system, with just the creation of an appropriate
/etc/krb5.conf file and the necessary lines in /etc/hosts, a NetBSD
host is immediately able to obtain a Ticket-Granting-Ticket as a
Kerberos client. I used it against a MIT Kerberos server and I
found no compatibility issues. This has been quick and very, very
useful.

I found instead some issues when trying to create a keytable in
the NetBSD client. For example, `kadmin -p admin_user' suddenly
shows the admin_user admin prompt, which seems very odd; then, for
some of the available commands, it asks for the password and does
not return the prompt after entering the correct password. The same
happens with `ktutil get -p admin_user host/fqdn.of.the.client'.

Note that I can not exclude that this is due to something I forgot
(or did not know) to configure.

However, a keytab created with MIT Kerberos utilites and then copied
into NetBSD is correctly read with `ktutil -k keytab_file list'
and is perfectly suitable, for example to receive ssh connections.

If ssh authentication through a Kerberos user must be provided in
a NetBSD client, the /etc/pam.d/ files already include a line for
the pam_krb5.so module: so, no configuration for PAM is needed. I
installed from pkgsrc the package pam-krb5, which includes pam_krb5.so,
but this file is already in the base system in /usr/lib/security/
and maybe there is no need for the package. It is instead necessary
cy2-gssapi, which depends on cyrus-sasl (needed as well), for GSSAPI
authentication, in addition to the correct configuration lines both
in /etc/ssh/sshd_config (for the server) and /etc/ssh/ssh_config
(for the client).

In conclusion, the NetBSD 8.1 base system includes some executables
and libraries which make a Kerberos client configuration almost
immediate. Thanks to those who tailored the base system.

Bye!

Rocky

Prev by Date: Re: USB device with no driver
Next by Date: Can't open /boot | biosboot via GPT on raidframe on GPT (NetBSD 9.0/amd64_RC2)
Previous by Thread: USB device with no driver
Next by Thread: Re: Kerberos client functionalities in NetBSD
Indexes:

Home | Main Index | Thread Index | Old Index