NetBSD-Users archive

Kerberos client functionalities in NetBSD

To : netbsd-users <netbsd-users%NetBSD.org@localhost>

: Subject : Kerberos client functionalities in NetBSD

: From : Rocky Hotas <rockyhotas%firemail.cc@localhost>

: Date: Mon, 10 Feb 2020 16:04:09 +0100

Hi all! This is not a request or a question, but rather a collection of notes about Kerberos, for anyone who is interested. I was trying to configure (for the first time) a NetBSD 8.1 amd64 host as a Kerberos client. First, it is worth noting that there is more than one implementation of Kerberos: MIT and Heimdal are maybe the most common ones. They should be api-compatible, as I was suggested in the IRC channel #netbsd. The implementation of Kerberos natively used in NetBSD is Heimdal: the base system already includes an essential set of utilities like kinit(1), klist(1), kadmin(8), ktutil(8). If the MIT Kerberos is needed, several packages are available in the pkgsrc repository. Using only the base system, with just the creation of an appropriate /etc/krb5.conf file and the necessary lines in /etc/hosts, a NetBSD host is immediately able to obtain a Ticket-Granting-Ticket as a Kerberos client. I used it against a MIT Kerberos server and I found no compatibility issues. This has been quick and very, very useful. I found instead some issues when trying to create a keytable in the NetBSD client. For example, `kadmin -p admin_user' suddenly shows the admin_user admin prompt, which seems very odd; then, for some of the available commands, it asks for the password and does not return the prompt after entering the correct password. The same happens with `ktutil get -p admin_user host/fqdn.of.the.client'. Note that I can not exclude that this is due to something I forgot (or did not know) to configure. However, a keytab created with MIT Kerberos utilites and then copied into NetBSD is correctly read with `ktutil -k keytab_file list' and is perfectly suitable, for example to receive ssh connections. If ssh authentication through a Kerberos user must be provided in a NetBSD client, the /etc/pam.d/ files already include a line for the pam_krb5.so module: so, no configuration for PAM is needed. I installed from pkgsrc the package pam-krb5, which includes pam_krb5.so, but this file is already in the base system in /usr/lib/security/ and maybe there is no need for the package. It is instead necessary cy2-gssapi, which depends on cyrus-sasl (needed as well), for GSSAPI authentication, in addition to the correct configuration lines both in /etc/ssh/sshd_config (for the server) and /etc/ssh/ssh_config (for the client). In conclusion, the NetBSD 8.1 base system includes some executables and libraries which make a Kerberos client configuration almost immediate. Thanks to those who tailored the base system. Bye! Rocky