Kerberizing Slackware without PAM

27 Jan 2011


This document guides the configuration of Slackware to use Kerberos for authentication. Slackware is (in)famous for not using PAM, so this effort will follow that philosophy. Below are the steps required to configure a KDC, a Kerberos client station which can collect tickets from the KDC and allow console logins with Kerberos credentials, and to network applications which accept Kerberos credentials. Tested releases are Slackware 13.0 and 13.1 on i386 and Slackware 13.37 on x86_64. Please send all comments, corrections, or questions to Tom Canich.

Disclaimer

Use this information at your own risk. No warranty is expressed or implied.
Slackware is a registered trademark of Slackware Linux, Inc..

Contents

The KDC

This procedure will result in a new Kerberos realm. If you already have access to a Kerberos KDC, you can skip to the client and application server parts. Also, the below procedure is very abbreviated and is not a substitute for reading the documentation supplied in the package or on the MIT Kerberos website.

  1. Install krb5 package.
  2. Configure /etc/krb5.conf, /var/krb5kdc/kdc.conf and /var/krb5kdc/kadm5.acl . These files are examples which you should adjust after reading the Kerberos documentation.
    krb5.conf
    [domain_realm]
            example.com = EXAMPLE.COM
            .example.com = EXAMPLE.COM
    
    [libdefaults]
            default_realm = EXAMPLE.COM
            dns_kdc_lookup = true
            dns_realm_lookup = true
            forwardable = true
            renewable = true
    
    [realms]
    
    EXAMPLE.COM = {
    			kdc = kerberos-1.example.com:88
    			kdc = kerberos-2.example.com:88
    			admin_server = kerberos-1.example.com:749
            }
    
    kdc.conf
    [kdcdefaults]
            kdc_ports = 749,88
    
    [realms]
            EXAMPLE.COM = {
                    database_name = /var/krb5kdc/principal
                    admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
                    acl_file = /var/krb5kdc/kadm5.acl
                    key_stash_file = /var/krb5kdc/.k5.EXAMPLE.COM
                    kdc_ports = 749,88
                    max_life = 10h 0m 0s
                    max_renewable_life = 7d 0h 0m 0s
                    supported_keytypes = aes256-cts des-cbc-crc des-cbc-md5
            }
    
    kadm5.acl
    krb5adminprinc/admin   *
    
  3. Create the database.
    /usr/kerberos/sbin/kdb5_util create -r EXAMPLE.COM -s
    
  4. Extract the admin server keys to /var/krb5kdc/kadm5.keytab.
    /usr/kerberos/sbin/kadmin.local
    kadmin.local: xst -k /var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
    
  5. Create host and other principals; extract to /etc/krb5.keytab
    kadmin.local: ank -randkey host/fully.qualified.domain.name
    kadmin.local: xst -k /etc/krb5.keytab host/fully.qualified.domain.name
    
  6. Create admin, user principals
    kadmin.local: ank krb5adminprinc/admin
    kadmin.local: ank krb5userprinc
    kadmin.local: quit
    
  7. Create startup script /etc/rc.d/rc.krb5
    rc.krb5 - shamelessly ripped off from rc.samba from Slackware 13.0
    #!/bin/sh
    #
    # /etc/rc.d/rc.krb5
    #
    # Start/stop/restart the MIT Kerberos V KDC
    #
    # To make Kerberos start automatically at boot, make this
    # file executable:  chmod 755 /etc/rc.d/rc.krb5
    #
    
    krb5_start() {
      if [ -x /usr/kerberos/sbin/krb5kdc -a -x /usr/kerberos/sbin/kadmind -a -r /etc/krb5.conf -a -r /var/krb5kdc/kdc.conf ]; then
        echo "Starting Kerberos:  /usr/kerberos/sbin/krb5kdc"
        /usr/kerberos/sbin/krb5kdc
        echo "                 /usr/kerberos/sbin/kadmind"
        /usr/kerberos/sbin/kadmind
      fi
    }
    
    krb5_stop() {
      killall krb5kdc kadmind
    }
    
    krb5_restart() {
      krb5_stop
      sleep 2
      krb5_start
    }
    
    case "$1" in
    'start')
      krb5_start
      ;;
    'stop')
      krb5_stop
      ;;
    'restart')
      krb5_restart
      ;;
    *)
      # Default is "start", for backwards compatibility with previous
      # Slackware versions.  This may change to a 'usage' error someday.
      krb5_start
    esac
    
  8. Start KDC daemons:
    # sh /etc/rc.d/rc.krb5 start
    . Remember to make the rc.krb5 script executable if you want the KDC to start automatically at boot.
  9. Verify connectivity to KDC with kadmin, kinit:
    $ kinit krb5userprinc
    $ klist
    $ kadmin -p krb5adminprinc/admin
    

The Client

This procedure will result in a client capable of retrievving Kerberos tickets from a KDC and allow Kerberos principals to login at the console. Successful console login by a principal will generate tickets in the user's cache. Failed login by a principal (because the principal doesn't exist, or the wrong password was supplied) should fall through to local authentications (/etc/shadow). Note: the principal must be associated with an account on the system, either in the local passwd database or via a network system such as NIS or LDAP.

  1. Install krb5 package and krb5-appl package.
  2. Setup /etc/krb5.conf:
    krb5.conf
    [domain_realm]
            example.com = EXAMPLE.COM
            .example.com = EXAMPLE.COM
    
    [libdefaults]
            default_realm = EXAMPLE.COM
            dns_kdc_lookup = true
            dns_realm_lookup = true
            forwardable = true
            renewable = true
    
    [realms]
    
    EXAMPLE.COM = {
    			kdc = kerberos-1.example.com:88
    			kdc = kerberos-2.example.com:88
    			admin_server = kerberos-1.example.com:749
            }
    
  3. Verify kadmin, kinit working
    $ kinit krb5userprinc
    $ klist
    $ kadmin -p krb5adminprinc/admin
    
  4. Add host principal, and extract host principal to /etc/krb5.keytab using kadmin and admin principal:
    # kadmin -p krb5adminprinc/admin
    kadmin: ank -randkey host/fully.qualified.domain.name
    kadmin: xst -k /etc/krb5.keytab host/fully.qualified.domain.name
    kadmin: quit
    
  5. Patch /etc/inittab to use login.krb5 (Patch).
  6. Optional: if /usr is a separate filesystem, copy libraries from /usr/kerberos/lib to /lib (so you can still login if /usr isn't mounted):
    # cp /usr/kerberos/lib/{libkrb5.so.3,libk5crypto.so.3,libcom_err.so.3,libkrb5support.so.0} /lib
    

The Application Server

This procedure will result in network listening services which accept Kerberos tickets, or which will verify a password against the Kerberos database via the Kerberos libraries.

  1. Setup following Client steps.
  2. Unpack the OpenSSH source archive from the Slackware distribution. Patch openssh.SlackBuild (Patch). Build and install the new package.
    $ cd openssh
    $ patch -p0 < openssh_SlackBuild-13.1-SK5.patch
    # sh openssh.SlackBuild
    # removepkg openssh
    # installpkg /tmp/openssh-5.5p1-i486-1_SK5.txz
    
  3. Extract keytabs for ssh/fully.qualified.domain.name@REALM to /etc/krb5.keytab.
    # kadmin -p krb5adminprinc/admin
    kadmin: ank -randkey ssh/fully.qualified.domain.name
    kadmin: xst -k /etc/krb5.keytab ssh/fully.qualified.domain.name
    
  4. Patch /etc/ssh/sshd_config for GSSAPI support (Patch). Restart sshd
    # /etc/rc.d/rc.sshd restart
  5. Patch /etc/ssh/ssh_config to support GSSAPI (Patch). Do this on every client where you will use kerberos tickets to authenticate to the server
  6. Alternative to previous step: setup a per-user .ssh/ssh_config file to specify GSSAPI authentication.
  7. Alternative #2: invoke SSH with
    -o preferredAuthentications=gssapi

Repeat this general procedure for all programs which will use Kerberos authentication. Kerberized alternatives for telnet, rlogin, rsh, rcp, and ftp clients and daemons are available in /usr/kerberos/sbin. Modify /etc/inetd.conf or create symbolic links to use these daemons in place of the stock daemons.

Patches to several Slackware package build scripts are available on this page: nfs-utils cyrus-sasl. Rebuilt packages are tagged with the suffix "_SK5" to avoid confusion with the stock Slackware packages. Refer to the software documentation, HOWTOs, or other documents for configuration and usage details of these packages.

The SK5 nfs-utils package, along with the required support libraries, allows NFSv4 GSSAPI mounts. This is poorly tested; consider it experimental.

The SK5 cyrus-sasl adds the SASL GSSAPI mechanism to the available mechanisms for any SASL-aware program.

If you use slackpkg(8), be sure to blacklist any packages which are rebuilt with Kerberos support. Updates to these packages will have to be rebuilt from source, after patching the build scripts as above, or upgraded with binary packages from this page.

Note: Kerberos is only for authentication. LDAP, YP, or flat files should be used to control authorization of kerberos principals. nss_ldap is available from Slackbuilds.org.

Table of patches, packages, and build scripts

Below is a complete listing of patches and packages referenced above. Packages which I have produced are available on this site as SlackBuild (from source) packages and binary packages. Additionally, I am providing binary "rebuilt" packages for the various Slackware packages which are rebuilt to be Kerberos-aware. I don't have access to an x86_64 build machine; Slack64 folks will have to patch the SlackBuild scripts and rebuild from source.

SlackBuild patches Description Download(s) Checksum (MD5)
cyrus-sasl Patch to the Slackware source cyrus-sasl.SlackBuild script. Requires: krb5. cyrus-sasl SlackBuild patch (13.0)
cyrus-sasl SlackBuild patch (13.1)
cyrus-sasl SlackBuild patch (13.37)
9040082c15678b7a16a10b0f7739ab49
798ebf3618b2afad360ae902275d95e3
565b1e2b1e004f33e39a9b451183f684
openssh Patch to the Slackware source openssh.SlackBuild script. Requires: krb5. openssh SlackBuild patch (13.0)
openssh SlackBuild patch (13.1)
openssh SlackBuild patch (13.37)
a5226a1fc994be587c3b496ddce758bd
ef34154295fc35de6d62b2c20b2cb358
81a5059d3c3f50206d96e131376cb263
nfs-utils Patch to the Slackware source nfs-utils.SlackBuild script. Allows AUTH_GSS and NFSv4. Requires: krb5, libgssglue, libtirpc, libnfsidmap, librpcsecgss, libevent. nfs-utils SlackBuild patch (13.0)
nfs-utils SlackBuild patch (13.1)
nfs-utils SlackBuild patch (13.37)
517fcd4f08065df58ae78f20405b3b8d
efde126df1711d9153d5076856ceef52
971c8056327b68bc12fdaff8119909db
mailx Patch to the Slackware source mailx.SlackBuild script. Allows GSSAPI connections to IMAP servers. Requires krb5. mailx SlackBuild patch (13.37) d57843fbf63e86d9c85f27f84a610f54
Configuration file patches Description Download(s) Checksum (MD5)
/etc/inittab Configures login console to use /usr/kerberos/sbin/login.krb5 instead of /bin/login. Allows Kerberos principal authentication, and collects initial Kerberos tickets at login. Falls back to local authentication when Kerberos fails. inittab login.krb5 patch (13.0,13.1) 46ca6c54f676dad53d94f149298bdfd0
/etc/ssh/ssh_config Configures OpenSSH client to try GSSAPI authentication. ssh_config patch (13.0,13.1,13.37) fcf97bf03e92f6f7f049d740499be5a7
/etc/ssh/sshd_config Configures OpenSSH daemon to accept GSSAPI authentication. sshd_config patch (13.0,13.1,13.37) 8db0f7f43e95707dab74f960865eed56
SlacK5 packages and build scripts Description Download(s) Checksum (MD5)
libgssglue libgssglue libgssglue-0.1-i486-1_SK5.tgz (13.0)
libgssglue-0.1-i486-1_SK5.tgz (13.1)
libgssglue 0.1 SK5 SlackBuild (13.0)
libgssglue 0.1 SK5 SlackBuild (13.1)
libgssglue 0.1 SK5 SlackBuild (13.37)
5a89a1e625bc6af46890af30cec5dcab
2b7940bc09cd27a5d081f78aec24e394
librpcsecgss librpcsecgss. Requires libgssglue. librpcsecgss-0.19-i486-1_SK5.tgz (13.0)
librpcsecgss-0.19-i486-1_SK5.tgz (13.1)
librpcsecgss 0.19 SK5 SlackBuild (13.0)
librpcsecgss 0.19 SK5 SlackBuild (13.1)
librpcsecgss 0.19 SK5 SlackBuild (13.37)
65109ded2dcd7f802f05dca5662bcbff
26393019d6aef345838f50b80df3a6fc
libnfsidmap libnfsidmap. Requires libgssglue, librpcsecgss, libtirpc, and libevent (SBo). libnfsidmap-0.24-i486-1_SK5.tgz (13.0)
libnfsidmap-0.24-i486-1_SK5.tgz (13.1)
libnfsidmap 0.24 SK5 SlackBuild (13.0)
libnfsidmap 0.24 SK5 SlackBuild (13.1)
libnfsidmap 0.24 SK5 SlackBuild (13.37)
4c3830092707db94b72edfe5cb89d079
8b86edc9e5b49b489e4cd7a2166537d8
libtirpc libtirpc. Requires libgssglue. libtirpc-0.2.1-i486-1_SK5.tgz (13.0)
libtirpc-0.2.1-i486-1_SK5.tgz (13.1)
libtirpc 0.2.1 SK5 SlackBuild (13.0)
libtirpc 0.2.1 SK5 SlackBuild (13.1)
libtirpc 0.2.1 SK5 SlackBuild (13.37)
N/A
4dd50ae26371be4ac4ff237931e72a32
krb5 MIT Kerberos V krb5-1.9-i486-1_SK5.tgz (13.1)
krb5 1.9 SK5 SlackBuild (13.1)
krb5 1.9.2 SK5 SlackBuild (13.37)
e687f37973dddecf6b1bf8147957778b
krb5-appl MIT Kerberos V applications. Requires: krb5 krb5-appl-1.0.1-i486-1_SK5.tgz (13.1)
krb5-appl 1.0.1 SK5 SlackBuild (13.1)
krb5-appl 1.0.2 SK5 SlackBuild (13.37)
e687f37973dddecf6b1bf8147957778b
Slackware package "rebuilds" Description Download(s) Checksum (MD5)
cyrus-sasl Cyrus-sasl 2.1.23 linked to MIT Kerberos. Requires: krb5 cyrus-sasl-2.1.23-i486-1_SK5.txz (13.1) e687f37973dddecf6b1bf8147957778b
openssh OpenSSH 5.5p1 linked to MIT Kerberos. Requires: krb5 openssh-5.5p1-i486-1_SK5.txz (13.1) 1fe6d23951e7be161bfc7b3afab4dfb4
nfs-utils nfs-utils 1.2.2 linked to MIT Kerberos with NFSv4 support. Requires: krb5, libgssglue, librpcsecgss, libtirpc, libevent, libnfsidmap. nfs-utils-1.2.2-i486-1_SK5.txz (13.1) 282dd561c704b640c5915bfaeb13368c

Further work


All trademarks are proprety of their respective owners. All else copyright 2011 Tom Canich.
Last modified: 30 November 2011