Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Sign up!
EnGarde Community
What is the most important Linux security technology?
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Latest Newsletters
Linux Advisory Watch: March 27th, 2015
Linux Security Week: March 23rd, 2015
LinuxSecurity Newsletters
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

Client Configuration

6. Client Configuration

6.1. General GNU/Linux Client Configuration

GNU/Linux distributions of Kerberos include a client package which contains all of the software and configuration files needed for setting up a GNU/Linux machine to be able to perform Kerberos authentications against a KDC. In Fedora derived GNU/Linux, this package is krb5-workstation. In order for your system to be capable of Kerberos authentication, including by authentication by kerberized applications, you must configure Kerberos on the system.

Configuration involves editing the /etc/krb5.conf file. In this file, you must specify your realm, KDC's, administrative server, logging, default domain, and KDC information. You must also modify the kdc.conf file, which you are allowed to specify a location for in the krb5.conf file. The default location is /var/Kerberos/krb5kdc/kdc.conf. The kdc.conf file contains information about the encryption algorithm policy of the realm.

The configuration information for the system on which you wish to perform Kerberos authentications is the same information which was placed in the /etc/krb5.conf filename on the KDC. Here are example krb5.conf and kdc.conf configuration files from a client for the Gnu University Dublin example.

Now, you can test Kerberos authentication using the kinit command:

bash$ kinit <username>

If your authentication fails, the best place to look for a description of the cause are the system log files on the client and the KDC log file on the KDC which authentication was performed against. When trouble shooting authentication issues, it can be very helpful to have a terminal windows open to the KDC running a tail -f on the KDC log. In our example krb5.conf, the location of the KDC log was /var/log/Kerberos/krb5kdc.log.

6.2. PAM

PAM, or Pluggable Authentication Module, technology which is shipped with many distributions of GNU/Linux is capable of integration with Kerberos through the pam_krb5 module. In order to use Kerberos authentication with PAM you must install the pam_krb5 module and modify the pam configuration files.

The pam_krb5 module comes with sample configuration filenames which are located in /usr/share/doc/pam_krb5-1.55/pam.d. The basic change that these configuration files make to allow PAM controlled services to authenticate against Kerberos is similar to the following:

auth       required     /lib/security/ use_first_pass

6.3. Apache Web Server

Kerberos can be used as an authentication mechanism for the Apache Web Server. The mod_auth_kerb application is an apache module which provides that functionality. Using that module, you will be able to set Kerberos as an authentication type for access control stanzas in the httpd.conf file. Be aware that while Kerberos is being used, this is a less than ideal authentication mechanism because tickets are stored on the web server rather than on the client machine. However, if your goals is to implement a single sign-on solution or consolidate accounts, there is value here. mod_auth_kerb is capable of supporting Kerberos 4, however that is not covered in this howto because of the known weaknesses with version 4 of the protocol.

The mod_auth_kerb website can be found at It is important to use the HTTPS protocol when accessing a site which uses mod_auth_kerb, since mod_auth_kerb uses the base auth mechanism. Base auth uses base64 encoding which can easily be translated back to plaintext. Therefore it's important that the authentication exchange is SSL encrypted to ensure that the user name and password are protected when they are transmitted to the webserver.

To compile apache with the mod_auth_krb module, you must take the following steps:

bash$ export 'LIBS=-L/usr/Kerberos/lib -lkrb5 -lcrypto -lcom_err'
bash$ export 'CFLAGS=-DKRB5 -DKRB_DEF_REALM=\\\"GNUD.IE\\\"'
bash$ export 'INCLUDES=-I/usr/Kerberos/include'
bash$ mkdir apache_x.x.x/src/modules/kerberos
bash$ cp mod_auth_kerb-x.x.x.c apache_x.x.x/src/modules/kerberos
bash$ ./configure --prefix=/home/httpd --add-module=src/modules/Kerberos/mod_auth_kerb.c
bash$ make
bash$ make install

You should test apache to make sure that it works. Once you have a known working copy of SSL enabled apache on the machine you can modify the httpd.conf filename to provide Kerberos authentication for a directory:

Here is an example stanza from the mod_auth_kerb apache modules which enables Kerberos 5 authentication for a directory:

<Directory "/home/httpd/htdocs/content">
   AllowOverride None
   AuthType KerberosV5
   AuthName "Kerberos Login"
   KrbAuthRealm GNUD.IE
   require valid-user

6.4. Microsoft Windows

Due to a flawed implementation of the Kerberos standard by Microsoft, there is limited compatibility between standard MIT Kerberos and Microsoft's version. Microsoft has published a document which describes the limited ways in which Microsoft's broken version of Kerberos is able to interoperate with standard Kerberos. That document is available here.



Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
FBI Quietly Removes Recommendation To Encrypt Your Phone
And the prize for LEAST SECURE BROWSER goes to ... Chrome!
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2015 Guardian Digital, Inc. All rights reserved.