Authentication

To authenticate local logins against Project Vincent, you will need to have Kerberos IV installed on your machine and configured to use IASTATE.EDU as its default domain.

Getting Kerberos IV

There are a number of different sources for Kerberos IV support under Linux. In addition to the original MIT packages, Cygnus Solutions provides packages and commercial support for Kerberos. There are also RPMS, preconfigured for use at Iowa State, available from ftp://aafugit.org/VINCENT/crypto/. These RPMS are based on kth-krb4, an international version of Kerberos IV distributed from Sweden. Source code for kth-krb4 is also available from http://www.pdc.kth.se/kth-krb/.

For Project Vincent, you will need at least the libkrb4 and kth-krb4 packages. You may also find the kth-krb4-telnet package useful.

Configuring Kerberos IV

Once you've installed Kerberos IV on your system, you'll need to configure it for use with Iowa State's KDC. If you use the aafugit.org packages, no additional configuration is necessary. Otherwise, you'll need to add the following lines to the very top of your /etc/krb.conf (or /usr/athena/etc/krb.conf, depending on the package layout on your system):

IASTATE.EDU
IASTATE.EDU kerberos-1.iastate.edu admin server
IASTATE.EDU kerberos95.iastate.edu

These lines specify the default Kerberos domain and a list of available Kerberos servers for the domain.

pam_krb4

In addition to Kerberos IV, you will need to download and install pam_krb4, available from ftp://ftp.dementia.org/pub/pam/. This PAM module ties in to the login and xdm services, so that they authenticate against the KDC instead of against the local password file. To build pam_krb4 against kth-krb4, you will need to download a patch from ftp://aafugit.org/VINCENT/crypto/patches/pam_krb4.patch and apply it. To do this, change to the pam_krb4 directory and run patch -p1 < pam_krb4.patch. You can then build and install the module by running make all install.

After installing the module, you will need to configure the services you want to use Kerberos. The most important of these services are xdm, login, and su; you may also want to configure applications such as chfn, chsh, gdm, vlock, and xscreensaver to use Kerberos. To configure each of these services under RedHat, you will need to modify the appropriate configuration file of the same name in the /etc/pam.d/ directory on your system. Below is a sample configuration file for the login service:

auth       required       /lib/security/pam_securetty.so
auth       required       /lib/security/pam_nologin.so
auth       sufficient     /lib/security/pam_unix.so
auth       required       /lib/security/pam_krb4.so use_first_pass
account    required       /lib/security/pam_unix.so
password   required       /lib/security/pam_cracklib.so
password   sufficient     /lib/security/pam_unix.so use_authtok \
                               md5 shadow
password   required       /lib/security/pam_krb4.so use_authtok \
                               try_first_pass
session    required       /lib/security/pam_unix.so
session    required       /lib/security/pam_krb4.so
session    optional       /lib/security/pam_console.so

In this config file, login will first attempt to authenticate the user against the local password file; if that fails, login will authenticate against the KDC and retrieve a Kerberos ticket-granting ticket (TGT) for the user.

For the most part, this looks like the /etc/pam.d/login file that ships with RedHat, with a few significant differences. First, you'll notice the presence of pam_krb4.so; second, pam_pwdb.so has been replaced by pam_unix.so throughout the configuration. You must use pam_unix instead of pam_pwdb here because, whereas pam_unix uses standard library calls to access account information, pam_pwdb reads the password file directly. This is important for reasons which will become apparent later on.

Please note that pam_krb4 is only intended for local access, and should not be used to authenticate network services. In particular, because telnetd uses /bin/login for user authentication, it is important that you disallow telnet access to the machine. Leaving telnet access open will completely nullify the security benefits of Kerberos, allowing an attacker to sniff passwords on the network! Properly configuring your workstation to function as a network server within a Kerberos domain requires the assistance of the domain administrator. It should be possible to use pam_krb4 authentication with encrypted network services such as ssh; however, this configuration is not recommended.