Documentation:Kerberos

From UGCS
Jump to: navigation, search

Kerberos

UGCS uses MIT Kerberos for all of our authentication needs. This means that no matter which service you are using, you will be able to use the same password. For a brief introduction to how Kerberos works, see The Moron's Guide to Kerberos (Don't be put off by the name- this is a wonderful introduction to how Kerberos works).

What is Kerberos?

Kerberos is a single sign-on solution. This means you can enter your password once, and get access to a variety of services. It also means that when you want to change your password, you only have to do it once. Kerberos is designed with network security in mind, and uses encryption to prevent unauthorized users from stealing your credentials.


Setting up Kerberos

To use Kerberos on your machine, you need to possibly install it and add our servers. Our KDC servers are krb-head.ugcs.caltech.edu and krb-backup.ugcs.caltech.edu. Our Kerberos admin server is krb-head.ugcs.caltech.edu.


After you've set up Kerberos, you might want to setup passwordless ssh, or possibly afs on your personal machine.


Linux

To set up Kerberos on Linux, you need to install the MIT Kerberos client and configure it to use our Kerberos servers.

To install a Kerberos client, look at your distribution's documentation. On Ubuntu and Debian, install the "krb5-user" package. On RedHat and its derivatives, install the "krb5-libs" and "krb5-workstation" packages. If all else fails, you can download the source from http://web.mit.edu/Kerberos/

After your client is installed (you should have the "kinit" program), you need to add our domain servers. One way is to copy our krb5.conf file from http://www.ugcs.caltech.edu/kerberos/krb5.conf to /etc/krb5.conf. The relevant parts are below: 

[domain_realm]
        .ugcs.caltech.edu = UGCS.CALTECH.EDU
        ugcs.caltech.edu = UGCS.CALTECH.EDU

[libdefaults]
        default_realm = UGCS.CALTECH.EDU
        dns_fallback = yes
        forwardable = true
        proxiable = true

[realms]
        UGCS.CALTECH.EDU = {
                admin_server = krb-head.ugcs.caltech.edu:749
                kdc = krb-head.ugcs.caltech.edu:88
                kdc = krb-backup.ugcs.caltech.edu:88
        }

[v4 domain_realm]
        .ugcs.caltech.edu = UGCS.CALTECH.EDU
        ugcs.caltech.edu = UGCS.CALTECH.EDU

To test your installation, open a terminal and try "kinit" and "klist". Your klist output will probably differ, but should have the last line (service principal for krbtgt/UGCS.CALTECH.EDU) 

% kinit
Please enter the password for user@UGCS.CALTECH.EDU:
% klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: username@UGCS.CALTECH.EDU 

Valid starting     Expires            Service principal
09/10/09 21:57:37  09/10/10 21:57:35  krbtgt/UGCS.CALTECH.EDU@UGCS.CALTECH.EDU

Mac OS X

OS X 10.4 and above comes with a Kerberos client built in. There is even a kerberos gui front-end at /System/Library/CoreServices/Kerberos.app. You should copy our krb5.conf (see above) to /Library/Preferences/edu.mit.Kerberos. Follow the above directions to test your installation.


See Also

Retrieved from "http://www.ugcs.caltech.edu/wiki/Documentation:Kerberos"
Personal tools