Monday, January 9, 2006

Linux Kerberos Authentication

Summary

This document describes the methods used to authenticate Linux machines against a central kerberos realm.

Please note: Many documents found on the web describe Kerberos authentication as it relates to Samba and joining a Samba server to a Windows domain. They are two different things, so don't confuse them. This document describes how to authenticate against a Kerberos realm (Active Directory in our case) via PAM (Pluggable Authentication Modules).

Why use Kerberos and not NTLM

  • Kerberos is a standard protocol, NTLM is proprietary.
  • Kerberos is more secure than NTLM.
  • Kerberos is the "new" mechanism used by Windows servers. NTLM is the Windows NT domain authentication method.
  • According to Microsoft Kerberos is more efficient than NTLM.

Server Configuration

This document contains diff files which are relevant only to Red Hat Enterprise Linux AS release 3 (Taroon Update 5). Concepts should transfer.
  1. Be sure to have proper rpms installed: up2date pam_krb5 krb5-libs krb5-devel krb5-workstation
  2. Modify /etc/krb5.conf
  3. Modify /var/kerberos/krb5kdc/kdc.conf
    • Might not exist so make it first:
      • mkdir -p /var/kerberos/krb5kdc
      • touch /var/kerberos/krb5kdc/kdc.conf
    • Reference (these links give you in-depth information, skip to examples if you don't care)
    • Examples
  4. Modify relevant PAM service files:
    • For LOGIN service only (telnet,ftp,xinetd-based-services), modify /etc/pam.d/login
      • login.diff Diff for a working login file.
        • Copy the contents or the file login.diff to the server.
        • cd /etc/pam.d
        • patch -i login.diff login
      • login Working login file.
    • For SSHD service only, modify /etc/pam.d/sshd
      • sshd.diff Diff for a working sshd file.
        • Copy the contents or the file sshd.diff to the server.
        • cd /etc/pam.d
        • patch -i sshd.diff sshd
      • sshd Working sshd file.

How It Works

At this point the server has the capability of authenticating against a kerberos realm. For a user to properly authenticate they must have an active account on the domain and a local account on the Linux machine (no password). If both of these things are not true, authentication will fail.
  • useradd dannies

Now that the user is local you assign file permissions and groups the same as you would any user account. If a user is disabled on the domain they will no longer be able to login to the kerberos authenticated machine.

More Information

No comments: