140

Chapter 10. Kerberos

Note

Kerberos depends on certain network services to work correctly. First, Kerberos requires approximate

clock synchronization between the machines on the network. Therefore, a clock synchronization

program should be set up for the network, such as ntpd.

Also, since certain aspects of Kerberos rely on the Domain Name Service (DNS), be sure that the

DNS entries and hosts on the network are all properly configured. See the Kerberos V5 System

Administrator's Guide, provided in PostScript and HTML formats in /usr/share/doc/krb5 server 

version number, (where version number is the version installed on the system) for more infor 

mation.

10.5. Kerberos and PAM

Currently, kerberized services do not make use of Pluggable Authentication Modules (PAM)   ker 

berized servers bypass PAM completely. However, applications that use PAM can make use of Ker 

beros for authentication if the

pam_krb5

module (provided in the

pam_krb5

package) is installed.

The

pam_krb5

package contains sample configuration files that allow services like

login

and

gdm

to authenticate users and obtain initial credentials using their passwords. If access to network servers

is always done using kerberized services or services that use GSS API, like IMAP, the network can

be considered reasonably safe.

Careful administrators will not add Kerberos password checking to all network services because most

of the protocols used by these services do not encrypt the password before sending it over the network.

The next section will describe how to set up a basic Kerberos server.

10.6. Configuring a Kerberos 5 Server

When you are setting up Kerberos, install the server first. If you need to set up slave servers, the details

of setting up relationships between master and slave servers are covered in the Kerberos 5 Installation

Guide located in the

/usr/share/doc/krb5 server  version number

directory.

H

I

To configure a basic Kerberos server, follow these steps:

1. Be sure that you have clock synchronization and DNS working on your server before config 

uring Kerberos 5. Pay particular attention to time synchronization between the Kerberos server

and its various clients. If the server and client clocks are different by more than five minutes (this

default amount is configurable in Kerberos 5), Kerberos clients will not be able to authenticate

to the server. This clock synchronization is necessary to prevent an attacker from using an old

Kerberos ticket to masquerade as a valid user.

You should set up a Network Time Protocol (NTP) compatible client/server network under, even

if you are not using Kerberos. Red Hat Linux 8.0 includes the

ntp

package for easy installation.

See http://www.eecis.udel.edu/~ntp for additional information on NTP.

2. Install the

krb5 libs

,

krb5 server

, and

krb5 workstation

packages on the dedicated

machine which will run your KDC. This machine needs to be very secure   if possible, it

should not run any services other than the KDC.

If you would like to use a Graphical User Interface utility to administrate Kerberos, you should

also install the

gnome kerberos

package. It contains

krb5

, a GUI tool for managing tickets.

3. Edit the

/etc/krb5.conf

and

/var/kerberos/krb5kdc/kdc.conf

configuration files to

reflect your realm name and domain to realm mappings. A simple realm can be constructed by

replacing instances of EXAMPLE.COM and example.com with your domain name   being

certain to keep uppercase and lowercase names in the correct format   and by changing the