PAM Kerberos Release Note Edition 1 HP 9000 Networking Manufacturing Part Number: J5849-90001 E0300 U.S.A. © Copyright 2000 © Hewlett-Packard Company. All rights reserved.
Legal Notices The information in this document is subject to change without notice. Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material. Warranty.
©copyright 1980, 1984, 1986 Novell, Inc. ©copyright 1986-1992 Sun Microsystems, Inc. ©copyright 1985-86, 1988 Massachusetts Institute of Technology. ©copyright 1989-93 The Open Software Foundation, Inc. ©copyright 1986 Digital Equipment Corporation. ©copyright 1990 Motorola, Inc. ©copyright 1990, 1991, 1992 Cornell University ©copyright 1989-1991 The University of Maryland ©copyright 1988 Carnegie Mellon University Trademark Notices.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. M.I.T.
party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code. OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community. PAM-kerberos5 module Copyright notice. Naomaru Itoi
restrictions. (This clause is necessary due to a potential bad interaction between the GPL and the restrictions contained in a BSD-style copyright.) THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
PAM Kerberos Release Note Announcement 1 PAM Kerberos Release Note Announcement PAM Kerberos is now supported on HP-UX 11.0 systems. It is based on Kerberos Authentication System V5, developed by Massachusetts Institute of Technology (MIT). This PAM Kerberos supports Microsoft Windows 2000 and MIT Kerberos V5 Key Distribution Center (KDC). Kerberos is an authentication service for authenticating users or services across an open network.
PAM Kerberos Release Note Benefits Benefits To support single sign-on between HP-UX and Microsoft Windows 2000 or other UNIX systems running MIT Kerberos, HP-UX provides PAM Kerberos that integrates HP-UX login with any Kerberos 5 Server, such as Microsoft Windows 2000 Key Distribution Center (KDC) and MIT KDC. PAM Kerberos authenticates entities without sending plain text password over the network.
PAM Kerberos Release Note Product Description Product Description The PAM Kerberos consists of a shared PAM Kerberos library, /usr/lib/security/libpam_krb5.1, which provides functionality for all four PAM modules: authentication, account management, session management and password management. PAM Kerberos, HP product number J5849AA, contains the following filesets as shown under HP-Software Distributor (SD): PAM-KRB-SHLIB /usr/lib/security/libpam_krb5.1 PAM-KRB-MAN /usr/share/man/man5.Z/pam_krb5.
PAM Kerberos Release Note Product Description and libpam_unix.1 are defined in the PAM stack as authentication modules. If a user is not authenticated under libpam_krb5.1, PAM will try to authenticate to libpam_unix.1 using the same password used with libpam_krb5.1. If PAM fails to authenticate with this password, authentication will fail. login login try_first_pass auth sufficient auth required /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.
PAM Kerberos Release Note Product Description For the forwardable tickets to be granted, the user's account in Kerberos Key Distribution Center (KDC) must specify that the user can be granted forwardable tickets. proxiable At times it may be necessary for a principal to allow a service to perform an operation on its behalf. The service must be able to take on the identity of the client, but only for a particular purpose by granting it a proxy.
PAM Kerberos Release Note Product Description The session management module provides functions to initiate and terminate sessions. Since session management is not defined under Kerberos, this function simply returns success. It is provided for compatibility with the PAM specification. Password Management The password management module provides a function to change passwords in the Kerberos password database.
PAM Kerberos Release Note Support Tools Support Tools The following tools are available on HP-UX 11.0 to manage the Kerberos credentials. They are located under the directory of /usr/bin directory. • kinit • klist • kdestroy To configure for kinit and klist, create and modify the configuration files: /etc/krb5.conf and /krb5/krb.conf. /krb5/krb.conf Create a krb.conf file using the sample listed under Appendix D and replace the underlined REALM.HP.COM and hostname.hp.
PAM Kerberos Release Note Support Tools home directory. Additionally, the system administrator may want to remove expired credential cache files with either a start script or a cron job to recover disk space and prevent maliciously access to the network credentials. See the kdestroy(1) man page for more details. klist 14 klist lists the tickets in the credentials cache. See the klist(1) man page for more details.
PAM Kerberos Release Note Installation Requirements Installation Requirements Hardware Requirements HP 9000 workstation and servers with a minimum of 32MB of memory and sufficient swap space (a minimum of 50MB is recommended). Operating System Requirements HP-UX 11.X Disk Space Requirements Minimum disk space required to install the product is 1MB. Additional disk space of ~ 1 KB per user is required to store initial Ticket Granting Ticket in credential cache file.
PAM Kerberos Release Note Configuration Configuration Kerberos Configuration There are three kinds of nodes in a Kerberos network authentication environment: Key Distribution Center (KDC), Application Client, and Application Server, as shown in the figure below. Figure 1-1.
PAM Kerberos Release Note Configuration • /etc/krb5.conf The krb5.conf file specifies the defaults for the realm and for Kerberos applications, mappings of hostnames onto Kerberos realms, and the location of KDCs for Kerberos realms. The application clients depend on the configuration file /etc/krb5.conf to locate the realm's KDC. Replace the underlined REALM.HP.COM and hostname.hp.com with the name of your Kerberos realm and hostname in the following example. The [libdefaults] section of the krb5.
PAM Kerberos Release Note Configuration klogin 543/tcp kshell 544/tcp kerberos-adm 749/tcp kerberos-adm 749/udp krb5_prop 754/tcp eklogin 2105/tcp krb524 4444/tcp kerberos-adm 464/udp kerberos-adm 464/tcp cmd # # # # # # # # # Kerberos Kerberos Kerberos Kerberos Kerberos Kerberos Kerberos Kerberos Kerberos rlogin -kfall remote shell 5 admin/changepw 5 admin/changepw slave propagation encrypted rlogin 5 to 4 ticket translator Password Change protocol Password Change protocol See the services (4) man pag
PAM Kerberos Release Note Configuration login auth required /usr/lib/security/libpam_krb5.1 debug ftp auth required /usr/lib/security/libpam_krb5.1 See the pam.conf(1) man page for more details and Appendix A for a sample /etc/pam.conf file. • /etc/krb5.conf - identical configuration as described under KDC. • /etc/services - identical configuration as described under KDC. Application Client An application client node is where application client, like telnet or ftp, will be run.
PAM Kerberos Release Note Configuration kadmind and krb5kdc daemons. If you do not want a stash file, run the kdb5_util without the -s option. Replace REALM.HP.COM with the name of your Kerberos realm in the following example. The kdb5_util command will prompt for the master key for the Kerberos database. The key can be any string. shell% /usr/local/sbin/kdb5_util create -r REALM.HP.COM -s This will create five files in the directory specified in your kdc.conf file: two Kerberos database files, principal.
PAM Kerberos Release Note Configuration kadmin and issue the ktadd command as in the following example: shell% /usr/local/sbin/kadmin.local kadmin.local: ktadd -k /usr/local/var/krb5kdc/kadm5.keytab kadmin/changepw kadmin.local: quit kadmin/admin \ 8. Start the Kerberos daemons by typing: shell% /usr/local/sbin/krb5kdc shell% /usr/local/sbin/kadmind Verify that they started properly by checking for their startup messages in the logging location specified in /etc/krb5.conf. 9.
PAM Kerberos Release Note Configuration • Locate ktpass on Microsoft Windows 2000 distribution • Use ktpass to create the keytab file and set up the account for the UNIX host. C:> ktpass -princ host/hostname@REALM-NAME -mapuser host \ -pass password -out unixmachine.keytab Configuring the corresponding Application Server (Kerberos Client) 1. Securely transfer the keytab file (Unix machine keytab file) to the UNIX host. 2. Merge the imported keytab with default keytab file /etc/krb5.keytab.
PAM Kerberos Release Note Debugging Procedures Debugging Procedures The PAM Kerberos module returns debug and error messages that are logged using syslog utility. Use the appropriate syslog log levels to gather more information about error scenarios. Debug logs are enabled with "debug" option in the /etc/pam.conf file for Kerberos PAM module.
PAM Kerberos Release Note Debugging Procedures PAM Error code Meaning Reason/More information PAM_CRED_UNAVAIL Cannot retrieve user credentials KRB5CCNAME is not set OR the credential file does not exist OR the user is not permitted to use the credential cache. PAM_CRED_EXPIRED User credentials expired Credential expired. Re-initialize the credentials. PAM_CRED_ERR Failure setting user credentials Check user's permissions to write to credential cache.
PAM Kerberos Release Note Known Problems and Workarounds Known Problems and Workarounds • The kerberised system ftp service may list the /etc/issue file before the expected output. Refer to sis(5) man page for more details on Secure Internet Services (SIS). • "kdestroy -e " does not remove the credentials that have expired. Use klist to determine the expired credentials followed by kdestroy or kdestroy -c cachename.
PAM Kerberos Release Note Known Limitations Known Limitations • Current kinit does not support the option for credential refreshment, i.e. "kinit -R". The libpam_krb5 library supports the manual credential refreshment. The user application can use the pam_setcred() with PAM_REFRESH_CRED flag to refresh the credentials. This is a known problem with kinit in HP-UX 11.0. • Current kinit uses only UNIX TIME & DCE pre-authentications mechanisms.
PAM Kerberos Release Note Notes, Cautions and Warnings Notes, Cautions and Warnings • It is assumed that the system administrator is familiar with the Kerberos system. The configuration procedures are provided as a quick reference only. • For each user, make sure that the UNIX uid, home directory, and shell information exist in the UNIX repository such as /etc/password. • The Kerberos PAM module sets and uses an environment variable, KRB5CCNAME during authentication.
PAM Kerberos Release Note References References Standards • PAM - Pluggable Authentication Module [Open Group RFC 86] • Kerberos - Shared Secret Key Authentication mechanism [IETF RFC 1510] The World Wide Web Hewlett-Packard now provides a web site where the latest HP-UX documentation and updates are available. The site can be accessed through http://docs.hp.com. Hewlett-Packard IT Resource Center: • http://us-support.external.hp.com (US and Asia Pacific) • http://europe-support.external.hp.
PAM Kerberos Release Note References http://www.cs.berkeley.edu/~bks/kerberos5/krb425.html • Kerberos V5 System Administrator's Guide http://www.fnord.net/docs/admin.html Microsoft Documentation • Windows 2000 Kerberos Authentication, White Paper, Microsoft Corp http://www.microsoft.com/windows2000/library/howitworks/security/kerberos.asp • Windows 2000 Kerberos Interoperability http://www.microsoft.com/windows2000/library/howitworks/security/kerbint.
PAM Kerberos Release Note References 30 Chapter 1
Sample /etc/pam.conf file References A Sample /etc/pam.conf file # # PAM configuration # # Authentication management # login auth sufficient /usr/lib/security/libpam_krb5.1 login auth required /usr/lib/security/libpam_unix.1 try_first_pass su auth sufficient /usr/lib/security/libpam_krb5.1 su auth required /usr/lib/security/libpam_unix.1 try_first_pass dtlogin auth sufficient /usr/lib/security/libpam_krb5.1 dtlogin auth required /usr/lib/security/libpam_unix.
Sample /etc/pam.conf file References # # Password # login login passwd passwd dtlogin dtlogin dtaction dtaction OTHER 32 management password password password password password password password password password required required required required required required required required required /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.1 /usr/lib/security/libpam_krb5.1 /usr/lib/security/libpam_unix.
Sample /etc/krb5.conf file References B Sample /etc/krb5.conf file Below is a sample /etc/krb5.conf that is configured for PAM Kerberos. Replace the underlined REALM.HP.COM and hostname.hp.com with the name of your Kerberos realm and hostname. [libdefaults] default_realm = REALM.HP.COM default_tkt_enctypes = DES-CBC-CRC default_tgs_enctypes = DES-CBC-CRC ccache_type = 2 [realms] REALM.HP.COM = { kdc = hostname.hp.com:88 admin_server = hostname.hp.com } [domain_realm] .cup.hp.com = REALM.HP.
Sample /etc/krb5.
Sample kdc.conf file References C Sample kdc.conf file Below is a sample /usr/local/var/krb5kdc/kdc.conf. Replace the underlined REALM.HP.COM with the name of your Kerberos realm. [kdcdefaults] kdc_ports = 88,750 [realms] REALM.HP.COM = { database_name = /usr/local/var/krb5kdc/principal admin_keytab = /usr/local/var/krb5kdc/kadm5.keytab acl_file = /usr/local/var/krb5kdc/kadm5.acl dict_file = /usr/local/var/krb5kdc/kadm5.dict key_stash_file = /usr/local/var/krb5kdc/.k5.REALM.HP.
Sample kdc.
Sample krb.conf file References D Sample krb.conf file Below is a sample /krb5/krb.conf. Replace the underlined REALM.HP.COM and hostname.hp.com with the name of your Kerberos realm and hostname. REALM.HP.COM REALM.HP.COM Appendix D hostname.hp.
