Kerberizing Slackware without PAM

27 Jan 2011

This document guides the configuration of Slackware to use Kerberos for authentication. Slackware is (in)famous for not using PAM, so this effort will follow that philosophy. Below are the steps required to configure a KDC, a Kerberos client station which can collect tickets from the KDC and allow console logins with Kerberos credentials, and to network applications which accept Kerberos credentials. Tested releases are Slackware 13.0 and 13.1 on i386 and Slackware 13.37 on x86_64. Please send all comments, corrections, or questions to Tom Canich.

Disclaimer

Use this information at your own risk. No warranty is expressed or implied.
Slackware is a registered trademark of Slackware Linux, Inc..

Contents

• Setting up the KDC
• Setting up a client
• Setting up an application server
• Table of patches, binary packages
• Further work

The KDC

This procedure will result in a new Kerberos realm. If you already have access to a Kerberos KDC, you can skip to the client and application server parts. Also, the below procedure is very abbreviated and is not a substitute for reading the documentation supplied in the package or on the MIT Kerberos website.

1. Install krb5 package.
2. Configure /etc/krb5.conf, /var/krb5kdc/kdc.conf and /var/krb5kdc/kadm5.acl . These files are examples which you should adjust after reading the Kerberos documentation.
   krb5.conf

   [domain_realm]
           example.com = EXAMPLE.COM
           .example.com = EXAMPLE.COM
   
   [libdefaults]
           default_realm = EXAMPLE.COM
           dns_kdc_lookup = true
           dns_realm_lookup = true
           forwardable = true
           renewable = true
   
   [realms]
   
   EXAMPLE.COM = {
   			kdc = kerberos-1.example.com:88
   			kdc = kerberos-2.example.com:88
   			admin_server = kerberos-1.example.com:749
           }
   

   kdc.conf

   [kdcdefaults]
           kdc_ports = 749,88
   
   [realms]
           EXAMPLE.COM = {
                   database_name = /var/krb5kdc/principal
                   admin_keytab = FILE:/var/krb5kdc/kadm5.keytab
                   acl_file = /var/krb5kdc/kadm5.acl
                   key_stash_file = /var/krb5kdc/.k5.EXAMPLE.COM
                   kdc_ports = 749,88
                   max_life = 10h 0m 0s
                   max_renewable_life = 7d 0h 0m 0s
                   supported_keytypes = aes256-cts des-cbc-crc des-cbc-md5
           }
   

   kadm5.acl

   krb5adminprinc/admin   *
   

3. Create the database.
   

   /usr/kerberos/sbin/kdb5_util create -r EXAMPLE.COM -s
   

4. Extract the admin server keys to /var/krb5kdc/kadm5.keytab.

   /usr/kerberos/sbin/kadmin.local
   kadmin.local: xst -k /var/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
   

5. Create host and other principals; extract to /etc/krb5.keytab

   kadmin.local: ank -randkey host/fully.qualified.domain.name
   kadmin.local: xst -k /etc/krb5.keytab host/fully.qualified.domain.name
   

6. Create admin, user principals

   kadmin.local: ank krb5adminprinc/admin
   kadmin.local: ank krb5userprinc
   kadmin.local: quit
   

7. Create startup script /etc/rc.d/rc.krb5
   rc.krb5 - shamelessly ripped off from rc.samba from Slackware 13.0

   #!/bin/sh
   #
   # /etc/rc.d/rc.krb5
   #
   # Start/stop/restart the MIT Kerberos V KDC
   #
   # To make Kerberos start automatically at boot, make this
   # file executable:  chmod 755 /etc/rc.d/rc.krb5
   #
   
   krb5_start() {
     if [ -x /usr/kerberos/sbin/krb5kdc -a -x /usr/kerberos/sbin/kadmind -a -r /etc/krb5.conf -a -r /var/krb5kdc/kdc.conf ]; then
       echo "Starting Kerberos:  /usr/kerberos/sbin/krb5kdc"
       /usr/kerberos/sbin/krb5kdc
       echo "                 /usr/kerberos/sbin/kadmind"
       /usr/kerberos/sbin/kadmind
     fi
   }
   
   krb5_stop() {
     killall krb5kdc kadmind
   }
   
   krb5_restart() {
     krb5_stop
     sleep 2
     krb5_start
   }
   
   case "$1" in
   'start')
     krb5_start
     ;;
   'stop')
     krb5_stop
     ;;
   'restart')
     krb5_restart
     ;;
   *)
     # Default is "start", for backwards compatibility with previous
     # Slackware versions.  This may change to a 'usage' error someday.
     krb5_start
   esac
   

8. Start KDC daemons:

   # sh /etc/rc.d/rc.krb5 start

   . Remember to make the rc.krb5 script executable if you want the KDC to start automatically at boot.
9. Verify connectivity to KDC with kadmin, kinit:

   $ kinit krb5userprinc
   $ klist
   $ kadmin -p krb5adminprinc/admin
   

The Client

This procedure will result in a client capable of retrievving Kerberos tickets from a KDC and allow Kerberos principals to login at the console. Successful console login by a principal will generate tickets in the user's cache. Failed login by a principal (because the principal doesn't exist, or the wrong password was supplied) should fall through to local authentications (/etc/shadow). Note: the principal must be associated with an account on the system, either in the local passwd database or via a network system such as NIS or LDAP.

1. Install krb5 package and krb5-appl package.
2. Setup /etc/krb5.conf:
   krb5.conf

   [domain_realm]
           example.com = EXAMPLE.COM
           .example.com = EXAMPLE.COM
   
   [libdefaults]
           default_realm = EXAMPLE.COM
           dns_kdc_lookup = true
           dns_realm_lookup = true
           forwardable = true
           renewable = true
   
   [realms]
   
   EXAMPLE.COM = {
   			kdc = kerberos-1.example.com:88
   			kdc = kerberos-2.example.com:88
   			admin_server = kerberos-1.example.com:749
           }
   

3. Verify kadmin, kinit working

   $ kinit krb5userprinc
   $ klist
   $ kadmin -p krb5adminprinc/admin
   

4. Add host principal, and extract host principal to /etc/krb5.keytab using kadmin and admin principal:

   # kadmin -p krb5adminprinc/admin
   kadmin: ank -randkey host/fully.qualified.domain.name
   kadmin: xst -k /etc/krb5.keytab host/fully.qualified.domain.name
   kadmin: quit
   

5. Patch /etc/inittab to use login.krb5 (Patch).
6. Optional: if /usr is a separate filesystem, copy libraries from /usr/kerberos/lib to /lib (so you can still login if /usr isn't mounted):

   # cp /usr/kerberos/lib/{libkrb5.so.3,libk5crypto.so.3,libcom_err.so.3,libkrb5support.so.0} /lib
   

The Application Server

This procedure will result in network listening services which accept Kerberos tickets, or which will verify a password against the Kerberos database via the Kerberos libraries.

1. Setup following Client steps.
2. Unpack the OpenSSH source archive from the Slackware distribution. Patch openssh.SlackBuild (Patch). Build and install the new package.

   $ cd openssh
   $ patch -p0 < openssh_SlackBuild-13.1-SK5.patch
   # sh openssh.SlackBuild
   # removepkg openssh
   # installpkg /tmp/openssh-5.5p1-i486-1_SK5.txz
   

3. Extract keytabs for ssh/fully.qualified.domain.name@REALM to /etc/krb5.keytab.

   # kadmin -p krb5adminprinc/admin
   kadmin: ank -randkey ssh/fully.qualified.domain.name
   kadmin: xst -k /etc/krb5.keytab ssh/fully.qualified.domain.name
   

4. Patch /etc/ssh/sshd_config for GSSAPI support (Patch). Restart sshd

   # /etc/rc.d/rc.sshd restart

5. Patch /etc/ssh/ssh_config to support GSSAPI (Patch). Do this on every client where you will use kerberos tickets to authenticate to the server
6. Alternative to previous step: setup a per-user .ssh/ssh_config file to specify GSSAPI authentication.
7. Alternative #2: invoke SSH with

   -o preferredAuthentications=gssapi

Repeat this general procedure for all programs which will use Kerberos authentication. Kerberized alternatives for telnet, rlogin, rsh, rcp, and ftp clients and daemons are available in /usr/kerberos/sbin. Modify /etc/inetd.conf or create symbolic links to use these daemons in place of the stock daemons.

Patches to several Slackware package build scripts are available on this page: nfs-utils cyrus-sasl. Rebuilt packages are tagged with the suffix "_SK5" to avoid confusion with the stock Slackware packages. Refer to the software documentation, HOWTOs, or other documents for configuration and usage details of these packages.

The SK5 nfs-utils package, along with the required support libraries, allows NFSv4 GSSAPI mounts. This is poorly tested; consider it experimental.

The SK5 cyrus-sasl adds the SASL GSSAPI mechanism to the available mechanisms for any SASL-aware program.

If you use slackpkg(8), be sure to blacklist any packages which are rebuilt with Kerberos support. Updates to these packages will have to be rebuilt from source, after patching the build scripts as above, or upgraded with binary packages from this page.

Note: Kerberos is only for authentication. LDAP, YP, or flat files should be used to control authorization of kerberos principals. nss_ldap is available from Slackbuilds.org.

Table of patches, packages, and build scripts

Below is a complete listing of patches and packages referenced above. Packages which I have produced are available on this site as SlackBuild (from source) packages and binary packages. Additionally, I am providing binary "rebuilt" packages for the various Slackware packages which are rebuilt to be Kerberos-aware. I don't have access to an x86_64 build machine; Slack64 folks will have to patch the SlackBuild scripts and rebuild from source.

SlackBuild patches	Description	Download(s)	Checksum (MD5)
cyrus-sasl	Patch to the Slackware source cyrus-sasl.SlackBuild script. Requires: krb5.	cyrus-sasl SlackBuild patch (13.0) cyrus-sasl SlackBuild patch (13.1) cyrus-sasl SlackBuild patch (13.37)	9040082c15678b7a16a10b0f7739ab49 798ebf3618b2afad360ae902275d95e3 565b1e2b1e004f33e39a9b451183f684
openssh	Patch to the Slackware source openssh.SlackBuild script. Requires: krb5.	openssh SlackBuild patch (13.0) openssh SlackBuild patch (13.1) openssh SlackBuild patch (13.37)	a5226a1fc994be587c3b496ddce758bd ef34154295fc35de6d62b2c20b2cb358 81a5059d3c3f50206d96e131376cb263
nfs-utils	Patch to the Slackware source nfs-utils.SlackBuild script. Allows AUTH_GSS and NFSv4. Requires: krb5, libgssglue, libtirpc, libnfsidmap, librpcsecgss, libevent.	nfs-utils SlackBuild patch (13.0) nfs-utils SlackBuild patch (13.1) nfs-utils SlackBuild patch (13.37)	517fcd4f08065df58ae78f20405b3b8d efde126df1711d9153d5076856ceef52 971c8056327b68bc12fdaff8119909db
mailx	Patch to the Slackware source mailx.SlackBuild script. Allows GSSAPI connections to IMAP servers. Requires krb5.	mailx SlackBuild patch (13.37)	d57843fbf63e86d9c85f27f84a610f54
Configuration file patches	Description	Download(s)	Checksum (MD5)
/etc/inittab	Configures login console to use /usr/kerberos/sbin/login.krb5 instead of /bin/login. Allows Kerberos principal authentication, and collects initial Kerberos tickets at login. Falls back to local authentication when Kerberos fails.	inittab login.krb5 patch (13.0,13.1)	46ca6c54f676dad53d94f149298bdfd0
/etc/ssh/ssh_config	Configures OpenSSH client to try GSSAPI authentication.	ssh_config patch (13.0,13.1,13.37)	fcf97bf03e92f6f7f049d740499be5a7
/etc/ssh/sshd_config	Configures OpenSSH daemon to accept GSSAPI authentication.	sshd_config patch (13.0,13.1,13.37)	8db0f7f43e95707dab74f960865eed56
SlacK5 packages and build scripts	Description	Download(s)	Checksum (MD5)
libgssglue	libgssglue	libgssglue-0.1-i486-1_SK5.tgz (13.0) libgssglue-0.1-i486-1_SK5.tgz (13.1) libgssglue 0.1 SK5 SlackBuild (13.0) libgssglue 0.1 SK5 SlackBuild (13.1) libgssglue 0.1 SK5 SlackBuild (13.37)	5a89a1e625bc6af46890af30cec5dcab 2b7940bc09cd27a5d081f78aec24e394
librpcsecgss	librpcsecgss. Requires libgssglue.	librpcsecgss-0.19-i486-1_SK5.tgz (13.0) librpcsecgss-0.19-i486-1_SK5.tgz (13.1) librpcsecgss 0.19 SK5 SlackBuild (13.0) librpcsecgss 0.19 SK5 SlackBuild (13.1) librpcsecgss 0.19 SK5 SlackBuild (13.37)	65109ded2dcd7f802f05dca5662bcbff 26393019d6aef345838f50b80df3a6fc
libnfsidmap	libnfsidmap. Requires libgssglue, librpcsecgss, libtirpc, and libevent (SBo).	libnfsidmap-0.24-i486-1_SK5.tgz (13.0) libnfsidmap-0.24-i486-1_SK5.tgz (13.1) libnfsidmap 0.24 SK5 SlackBuild (13.0) libnfsidmap 0.24 SK5 SlackBuild (13.1) libnfsidmap 0.24 SK5 SlackBuild (13.37)	4c3830092707db94b72edfe5cb89d079 8b86edc9e5b49b489e4cd7a2166537d8
libtirpc	libtirpc. Requires libgssglue.	libtirpc-0.2.1-i486-1_SK5.tgz (13.0) libtirpc-0.2.1-i486-1_SK5.tgz (13.1) libtirpc 0.2.1 SK5 SlackBuild (13.0) libtirpc 0.2.1 SK5 SlackBuild (13.1) libtirpc 0.2.1 SK5 SlackBuild (13.37)	N/A 4dd50ae26371be4ac4ff237931e72a32
krb5	MIT Kerberos V	krb5-1.9-i486-1_SK5.tgz (13.1) krb5 1.9 SK5 SlackBuild (13.1) krb5 1.9.2 SK5 SlackBuild (13.37)	e687f37973dddecf6b1bf8147957778b
krb5-appl	MIT Kerberos V applications. Requires: krb5	krb5-appl-1.0.1-i486-1_SK5.tgz (13.1) krb5-appl 1.0.1 SK5 SlackBuild (13.1) krb5-appl 1.0.2 SK5 SlackBuild (13.37)	e687f37973dddecf6b1bf8147957778b
Slackware package "rebuilds"	Description	Download(s)	Checksum (MD5)
cyrus-sasl	Cyrus-sasl 2.1.23 linked to MIT Kerberos. Requires: krb5	cyrus-sasl-2.1.23-i486-1_SK5.txz (13.1)	e687f37973dddecf6b1bf8147957778b
openssh	OpenSSH 5.5p1 linked to MIT Kerberos. Requires: krb5	openssh-5.5p1-i486-1_SK5.txz (13.1)	1fe6d23951e7be161bfc7b3afab4dfb4
nfs-utils	nfs-utils 1.2.2 linked to MIT Kerberos with NFSv4 support. Requires: krb5, libgssglue, librpcsecgss, libtirpc, libevent, libnfsidmap.	nfs-utils-1.2.2-i486-1_SK5.txz (13.1)	282dd561c704b640c5915bfaeb13368c

Further work

• Produce comprehensive list of network applications shipping with Slackware.
• Produce build script patches for other network applications.
• Improve this document.
• Rigorous testing of NFSv4 client and server and configuration documentation.
• Test against 13.37 on x86.
• Test against 13.0, 13.1 on x86_64.
• Test against 12.x, and possibly older releases.