This document describes how to install and configure Kerberos software on Linux and Mac OS X platforms at UNC Chapel Hill.
It is reviewed several times each year to ensure it remains accurate.
What is Kerberos?
Kerberos is a secure, enterprise-level authentication system, designed to provide strong authentication for client/server applications by using secret-key cryptography. With Kerberos, information obtained from your login (your ONYEN userid and password) is used to create a Kerberos ticket. This ticket is then used to authenticate to Kerberos-aware services.
Kerberos configuration
Most UNIX distributions come with Kerberos client software. In order to use Kerberos for user authentication on your system, you will need to install the appropriate software packages if they are not already installed. Then:
- update a Kerberos configuration file with information about the UNC-CH Kerberos service
- configure the OS to use Kerberos for authentication
The following sections provide instructions for setting up Kerberos authentication on (some/supported) Linux and Mac OS X platforms.
krb5.conf
A standard /etc/krb5.conf file for UNC-CH looks like this:
[libdefaults]
default_realm = ISIS.UNC.EDU
[realms]
ISIS.UNC.EDU = {
kdc = krb3.unc.edu
kdc = krb2.unc.edu
kdc = krb1.unc.edu
kdc = krb0.unc.edu
admin_server = krba.unc.edu
default_domain = isis.unc.edu
}
[domain_realm]
.unc.edu = ISIS.UNC.EDU
.
Make sure the ownership and permissions are set correctly. The file should be owned and writeable by the root user and readable by everyone.
Setting Up Kerberos on Linux
The following packages are required:
- krb5-libs
- krb5-workstation
- pam_krb5
You can use yum to install these packages:
# yum install krb5-libs krb5-workstation pam_krb5
Linux uses Pluggable Authentication Module (PAM) technology and supports Kerberos authentication through the pam_krb5 module. Use the authconfig utility to enable kerberos in PAM:
# authconfig --enablekrb5 --update
Setting Up Kerberos on Mac OS X
Kerberos 5 support is built into Mac OS X, so no installation of packages is required.
Update the /Library/Preferences/edu.mit.Kerberos file with the information from the sample /etc/krb5.conf file above. If the edu.mit.Kerberos file doesn’t exist, go ahead and create it.
Testing Kerberos Client Installation
Now that you have installed and configured your Kerberos client software, it’s time to make sure it is working correctly.
Open a terminal window and authenticate with the kinit command, replacing <onyen> and <onyen_password> with your UNC-CH Onyen and password.
$ kinit <onyen>
Password for onyen@ISIS.UNC.EDU: <onyen_password>
Then view the Kerberos ticket created by kinit with the klist command. You should see something like the following.
$ klist
Ticket cache: FILE:/tmp/krb5cc_123
Default principal: onyen@ISIS.UNC.EDU
Valid starting Expires Service principal
05/05/09 15:26:41 05/06/09 15:26:41 krbtgt/ISIS.UNC.EDU@ISIS.UNC.EDU
Finally, remove your Kerberos ticket with the kdestroy command and verify that the ticket is gone.
$ kdestroy
$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_123)
On OS X, there is also a Mac application which can be used to manage your Kerberos tickets.
1. Open Keychain Access (in /Applications/Utilities).
2. From the Keychain Access menu, choose Kerberos Ticket Viewer.
3. Click “New”, enter your Onyen and password in the appropriate fields and click “OK”.
4. An entry will appear in the main Ticket Viewer window for the ticket that was just created:
The Kerberos Ticket Viewer application can also be used to renew or destroy your tickets.