To authenticate local logins against Project Vincent, you will need to have Kerberos IV installed on your machine and configured to use IASTATE.EDU as its default domain.
There are a number of different sources for Kerberos IV support under Linux. In addition to the original MIT packages, Cygnus Solutions provides packages and commercial support for Kerberos. There are also RPMS, preconfigured for use at Iowa State, available from ftp://aafugit.org/VINCENT/crypto/. These RPMS are based on kth-krb4, an international version of Kerberos IV distributed from Sweden. Source code for kth-krb4 is also available from http://www.pdc.kth.se/kth-krb/.
For Project Vincent, you will need at least the libkrb4 and kth-krb4 packages. You may also find the kth-krb4-telnet package useful.
Once you've installed Kerberos IV on your system, you'll need to configure it for use with Iowa State's KDC. If you use the aafugit.org packages, no additional configuration is necessary. Otherwise, you'll need to add the following lines to the very top of your /etc/krb.conf (or /usr/athena/etc/krb.conf, depending on the package layout on your system):
IASTATE.EDU IASTATE.EDU kerberos-1.iastate.edu admin server IASTATE.EDU kerberos95.iastate.edu |
These lines specify the default Kerberos domain and a list of available Kerberos servers for the domain.
In addition to Kerberos IV, you will need to download and install pam_krb4, available from ftp://ftp.dementia.org/pub/pam/. This PAM module ties in to the login and xdm services, so that they authenticate against the KDC instead of against the local password file. To build pam_krb4 against kth-krb4, you will need to download a patch from ftp://aafugit.org/VINCENT/crypto/patches/pam_krb4.patch and apply it. To do this, change to the pam_krb4 directory and run patch -p1 < pam_krb4.patch. You can then build and install the module by running make all install.
After installing the module, you will need to configure the services you want to use Kerberos. The most important of these services are xdm, login, and su; you may also want to configure applications such as chfn, chsh, gdm, vlock, and xscreensaver to use Kerberos. To configure each of these services under RedHat, you will need to modify the appropriate configuration file of the same name in the /etc/pam.d/ directory on your system. Below is a sample configuration file for the login service:
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_nologin.so
auth sufficient /lib/security/pam_unix.so
auth required /lib/security/pam_krb4.so use_first_pass
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so
password sufficient /lib/security/pam_unix.so use_authtok \
md5 shadow
password required /lib/security/pam_krb4.so use_authtok \
try_first_pass
session required /lib/security/pam_unix.so
session required /lib/security/pam_krb4.so
session optional /lib/security/pam_console.so |
In this config file, login will first attempt to authenticate the user against the local password file; if that fails, login will authenticate against the KDC and retrieve a Kerberos ticket-granting ticket (TGT) for the user.
For the most part, this looks like the /etc/pam.d/login file that ships with RedHat, with a few significant differences. First, you'll notice the presence of pam_krb4.so; second, pam_pwdb.so has been replaced by pam_unix.so throughout the configuration. You must use pam_unix instead of pam_pwdb here because, whereas pam_unix uses standard library calls to access account information, pam_pwdb reads the password file directly. This is important for reasons which will become apparent later on.
Please note that pam_krb4 is only intended for local access, and should not be used to authenticate network services. In particular, because telnetd uses /bin/login for user authentication, it is important that you disallow telnet access to the machine. Leaving telnet access open will completely nullify the security benefits of Kerberos, allowing an attacker to sniff passwords on the network! Properly configuring your workstation to function as a network server within a Kerberos domain requires the assistance of the domain administrator. It should be possible to use pam_krb4 authentication with encrypted network services such as ssh; however, this configuration is not recommended.