Kerberos/SASL/LDAP

From Superk

Jump to: navigation, search

These are my (incomplete) notes on working with Kerberos, SASL and LDAP in a single-signon style environment. These notes are probably repetative of many other documents on the Internet, but perhaps this will be useful as a concise central resource that works on tying all that information together. These notes are extremely rough and I'm open to any comments/suggestions/critiques (be nice) you might have. I'm still learning much of these topics so I'm sure I'm missing things and/or doing them incorrectly.

Contents

Secure Kerberos/SASL/LDAP Configuration

Initial Setup

Because a large portion of the initial setup of Kerberos is covered in many other areas and in online docs, I'm not going to address it too much here. These are some great links to consider when configuring Kerberos, LDAP and PAM:

http://web.mit.edu/kerberos/www/ - This is the site of the actual MIT distribution of Kerberos. There are lots of great docs here as well as links to other great sites on Kerberos.

http://www.isi.edu/~brian/security/kerberos.html - "Moron's Guide to Kerberos" - this is the place I started and is a fantastic "quick and dirty" explaination of Kerberos and how it works.

http://www.bayour.com/LDAPv3-HOWTO.html - Again, because this document already exists, I'm probably just reinventing the wheel (some consolation to me, I'm making the wheel smaller!). This is a MUST READ BEFORE reading this document.

http://www.hut.fi/cc/docs/kerberos/sso.html - Haven't read this one yet, but it may be just a better written and more thorough explaination of my own notes here. Looks interesting at first glance anyhow.

http://www.ncsa.uiuc.edu/UserInfo/Resources/Software/kerberos/index.html - This is another link I haven't thoroughly explored yet, but it did provide some great initial information on setting up PAM. Worth adding to your bookmarks.

http://www.padl.com/ - If you're dealing with LDAP and authentication, this link really needs to be included. Check out some of their useful (sometimes necessary) tools.

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html - Most everything you wanted to know about PAM and how it works short of buying the book! (I need to read more of this someday)

RFC's

Here is a (uncomplete?) list of RFC's of relevance:

RFC1510 - The Kerberos Network Authentication Service (V5)

RFC2222 - Simple Authentication and Security Layer (SASL)

RFC2478 - The Simple and Protected GSS-API Negotiation Mechanism

RFC2743 - Generic Security Service Application Program Interface Version 2, Update 1

RFC2829 - Authentication Methods for LDAP

RFC2942 - Telnet Authentication: Kerberos Version 5

RFC3129 - Requirements for Kerberized Internet Negotiation of Keys

RFC3244 - Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols

RFC3494 - LDAP version 2 (obsolete?)

RFC3546 - Transport Layer Security (TLS)

DNS Configuration

Here is the basic configuration for the SRV records in DNS that will make Kerberos work much smoother (add the LDAP server in too while you're at it): 

; SRV records
;
_kerberos IN TXT "DOMAIN.COM" ;Kerberos Realm
_kerberos-master._udp IN SRV 0 0 88 kerberos_host
_kerberos-adm._tcp IN SRV 0 0 749 kerberos_host
_kpasswd._udp IN SRV 0 0 464 kerberos_host
_ldap._tcp.pmctechnologies.com IN SRV 0 0 389 ldap_host
  • SRV Records - RFC2052 - A type of DNS record that maps a service to a host directly. The service is labelled using a preceding "_" to make the record unique and a port number is given to identify to the service to the host. Load balancing and failover can be accomplished using SRV Records.

Logons

Using Pluggable Authentication Modules (PAM) on the client to pass auth to KDC requires pam_krb5 be installed. The pam_krb5.so module works in a similar fashion to kinit from the command line. Any passwords entered through pam_krb5.so are sent to the KDC encrypted just as kinit would do and an initial ticket is retrieved upon proper authentication.

PAM

Configuring /etc/pam.d/login: (NOTE: this has been updated, see revised later in these notes. This represents the default SuSE 8.2 /etc/pam.d/login file after adding Kerberos logins using sufficient.) 

#%PAM-1.0
auth sufficient pam_krb5.so missing_keytab_ok
auth requisite pam_unix2.so use_first_pass nullok
auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_mail.so

account required pam_unix2.so

password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok

session required pam_unix2.so none
session required pam_limits.so

Above process takes entered username & attaches the default realm as defined in /etc/krb5.conf.

Authentication path takes on form: 

login -> pam_krb5.so (encrypted) -> KDC -> Authenticated

Definitions of PAM modules listed:

  • pam_unix.so - For getting the passwd entries, it uses NSS from glibc >= 2.1. This module can get password entries from secure NIS+ server and change local, NIS and NIS+ passwords.
  • pam_env.so - a PAM module to load in a configurable list of environment variables.
  • pam_securetty.so - Allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in /etc/securetty. Also checks to make sure that /etc/securetty is a plain file and not world writable.
  • pam_nologin.so - This module always lets root in; it lets other users in only if the file /etc/nologin doesn't exist. In any case, if /etc/nologin exists, it's contents are displayed to the user.
  • pam_krb5.so - This module interacts directly with the KDC to perform secure logins and retrieve an initial key.
  • pam_mail.so - This PAM module tells the User that he has new/unread email.
  • pam_pwcheck.so - It makes additional checks upon password changes, but it doesn't make the change itself. It only provides functions for "passwd", not for authentication, accounting or session management.
  • pam_limits.so - Module for imposing user limits on login.
  • pam_deny.so - this module always fails, it ignores all options.
  • pam_cracklib.so - this module will check the passwd against dictionary words.

Below is the REVISED /etc/pam.d/login - may be useful to add in some of the missing auth elements that were taken out of the above example (see the document included with SuSE 8.2 - /usr/share/doc/packages/pam_krb5/README.SuSE - contained later in these notes for great information on using the pam_krb5.so module in various auth environments): 

#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
auth sufficient pam_krb5.so use_first_pass forwardable
auth required pam_deny.so

account required pam_unix.so

password required pam_cracklib.so retry=3
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.so
  • likeauth - allows the credentials (not just a SUCCESS code) to be passed to subsequent auth items.
  • nullok - allows for allowing users to change passwords at login if password is set NULL initially.
  • use_first_pass - allows lower stacked (ie, not at top of the list) auth items to use previously submitted passwords without asking for a new password. If this auth fails, the password is just passed down the list without errors.
  • forwardable - issue tickets flagged 'FORWARDABLE'
  • retry=3 - allow for 3 password attempts before failing login & issuing a new login prompt.
  • use_authtok - set the new password to the one provided by the previously stacked password module. If this option is not set, pam_unix would ask the user for the new password.
  • md5 - in the case of conventional unix databases (which store the password encrypted) the md5 argument is used to do the encryption with the MD5 function as opposed to the conventional crypt(3) call.
  • shadow - same as md5, but shadow.

The following is my third iteration of /etc/pam.d/login. It needs testing: 

#%PAM-1.0
auth required pam_env.so
auth sufficient pam_krb5.so missing_keytab_ok ccache=SAFE putenv_direct
auth required pam_unix2.so use_first_pass likeauth nullok
auth required pam_securetty.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_mail.so
auth required pam_deny.so

account required pam_unix2.so

password required pam_pwcheck.so nullok
password required pam_cracklib.so retry=3
password sufficient pam_unix2.so nullok use_authtok md5 shadow
password sufficient pam_krb5.so use_authtok
password required pam_deny.so

session required pam_limits.so
session required pam_unix2.so
session optional pam_krb5.so

Also modified /etc/pam.d/passwd to enable user's to change their Kerberos passwords at login if necessary (this also needs testing): 

#%PAM-1.0
auth required pam_unix2.so nullok

account required pam_unix2.so

password required pam_pwcheck.so nullok
password required pam_unix2.so nullok use_first_pass use_authtok
password required pam_krb5.so use_first_pass
#password required pam_make.so /var/yp

session required pam_unix2.so
  • pam_make.so - (not sure what all this means - see the README.pam-make-0.1 doc for more information) a module that does a 'make -C yourdirectory' provided that in /etc/pam.d/service one has a password entry like: 
password required /lib/security/pam_make.so yourdirectory

The following included document is from the SuSE 8.2 pam_krb5.so documentation, it offers some very useful information on the proper configuration of the pam files to allow for either Local logins as primary or Kerberos logins as primary with Local as the failover option.

Here are some hints how to make the PAM Kerberos module work:

Authentication

If your primary authentication is still against the password database, make the auth section look something like this (long lines folded for better legibility): 

auth required pam_unix.so ...
auth optional pam_krb5.so try_first_pass \
missing_keytab_ok \
ccache=SAFE \
putenv_direct

With this setup, a user must have a valid password in the local shadow file or NIS or wherever nsswitch gets its account information from.

Alternatively, if you want to make Kerberos your primary authentication method, and accept normal password logins as a fallback (e.g. for accounts not migrated to Kerberos, or in case the KDC is not reachable), use something like this: 

auth sufficient pam_krb5.so missing_keytab_ok \
ccache=SAFE \
putenv_direct
auth required pam_unix.so use_first_pass ...

With this setup, users do not _have_ to have valid passwords in the account databases used by nsswitch (there need to be entries specifying user id, group, home directory etc).

Note the dots on the pam_unix lines above: the original pam_unix line often contains additional arguments to the module; be sure to leave them intact. The arguments shown here on the pam_unix.so lines must appear in addition to the ones that are already there.

Depending on the service, there may be other PAM modules before or after pam_unix. For instance, su has pam_rootok which will allow the super user to become any other user without having to present his/her password; the rlogind service calls the pam_rhosts module to check the user's .rhosts file. Make sure to leave these lines in place.

Password Updates

In order to be able to update Kerberos passwords via the passwd utility, you need to add the following line to /etc/pam.d/passwd: 

password required pam_krb5.so use_first_pass

You can do this either after or before the pam_unix line. Note that kerberos will fail silently if it cannot find a kpasswd server; you either have to configure one in /etc/krb5.conf (in the [realms] definition for your Kerberos realm, set kpasswd_server = name.of.your.kpasswd.server), or in your DNS.

For additional information, please refer to the pam_krb5(5) manual page.

SLAPD.CONF

It is important to include the proper schemas and to configure the entries appropriately. Here is the basic schema setup: 

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetOrgPerson.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/krb5-kdc.schema

(I got the extra schemas in this list from http://www.bayour.com/openldap/schemas/)

SASL Related Items in SLAPD.CONF

Include the following for using SASL access: 

###########################################################
# SASL Configurations
#
# Following defines the default Kerberos domain realm
sasl-realm REALM

# Following defines the FQDN of the KDC Server
sasl-host <KDC_FQDN>

# This expression maps the SASL bind DN to the appropriate
# URI and maps the user to the appropriate Kerberos
# Principal for matching the ticket properly.
saslRegexp
uid=(.*),cn=DOMAIN.COM,cn=gssapi,cn=auth
ldap:///ou=People,dc=domain,dc=com??sub?\
(krb5PrincipalName=$1@DOMAIN.COM)

# This expression maps the SASL bind DN to th matching
# DN in the LDAP directory - useful for pulling the rest
# of the user's data and matching it to the respective
# user.
saslRegexp
uid=(.*),cn=DOMAIN.COM,cn=gssapi,cn=auth
uid=$1,ou=People,dc=domain,dc=com

LDAP Directory

This is a typical user entry in the directory: 

dn: uid=<user>,dc=domain,dc=com
objectClass: top
objectClass: person
objectClass: krb5Principal
objectClass: posixAccount
sn: <user's_last_name>
cn: <user's_full_name>
krb5PrincipalName: <user>;@REALM.COM
uid: <username>
uidNumber: <user_ID_#>
gidNumber: <user_primary_group_ID_#>
homeDirectory: /home/<username>
loginShell: /bin/bash *
gecos: <user's_full_name> *

* These attributes are optional (there are many other optional attributes as well, but these are fairly useful for useful logins).

Retrieved from "http://www.superk.org/index.php/Kerberos/SASL/LDAP"
Personal tools