Kerberos on OpenBSD

Kerberos on OpenBSD
	Part IX. OpenBSD

Jurjen Bokma

January 2009

OpenBSD 4.4 comes with Heimdal installed. For this section, I used the docs for Heimdal version 1.2, augmented with the MIT Kerberos 5 docs and the info heimdal command within Open BSD.

I'm setting up a small home server here, so no elaborate failover measures, and DHCP server == nameserver == NTP server == KDC == Kerberos server.

Procedure 57. Installing and configuring Kerberos/Heimdal on OpenBSD 4.4

Preliminaries

Before starting on Kerberos, make sure you have nameserving and NTP set up (see Conference under Docker for that). It is a good idea to make the Kerberos server and clients use the same NTP server, or as I did here, have the Kerberos server be the NTP server.

Note

	Note
Now is a good moment put a few Kerberos records in your DNS: ; Kerberos info _kerberos._tcp SRV 10 1 88 kerberos.mynet. _kerberos._udp SRV 10 1 88 kerberos.mynet. _kpasswd._udp SRV 10 1 464 kerberos.mynet. _kerberos-adm._tcp SRV 10 1 749 kerberos.mynet. kerberos CNAME host1.mynet. In order for this to also work on the nameserver, it must have localhost listed as the first nameserver in `/etc/resolv.conf`. If that `resolv.conf` is maintained by DHCP because the nameserver is also the gateway (a typical home router setup), `/etc/dhclient.conf` can be edited to contain a line which will do the trick: prepend domain-name-servers 127.0.0.1;

Now is a good moment put a few Kerberos records in your DNS:

 ; Kerberos info
 _kerberos._tcp          SRV     10 1 88 kerberos.mynet.
 _kerberos._udp          SRV     10 1 88 kerberos.mynet.
 _kpasswd._udp           SRV     10 1 464 kerberos.mynet.
 _kerberos-adm._tcp      SRV     10 1 749 kerberos.mynet.
 
 kerberos        CNAME   host1.mynet.

In order for this to also work on the nameserver, it must have localhost listed as the first nameserver in /etc/resolv.conf. If that resolv.conf is maintained by DHCP because the nameserver is also the gateway (a typical home router setup), /etc/dhclient.conf can be edited to contain a line which will do the trick:

	    prepend domain-name-servers 127.0.0.1;

Creating the database

The KDC - Key Distribution Center - is the service that issues tickets to principals asking for one, and thus is the heart of Kerberos. We follow the Heimdal docs on creating a database and do the following:

Create a working directory for Kerberos (which will be shared between all KDC daemons). We use /var/heimdal because it is the compiled-in default of the binaries that come with OpenBSD:
sudo mkdir /var/heimdal sudo chmod go-rwx /var/heimdal/ sudo ls -ld /var/heimdal/ drwx------ 2 root wheel 512 May 25 11:17 /var/heimdal/

We create a master key for the Kerberos database, so that an intruder who steals the database file(s) will also have to steal the key before they can read all the tickets. The way to steal the database is typically by gaining read access to the disk on which both the database and the key are stored, so the point of this exercise eludes me a bit, but we go with the flow of the manual here. The key is generated.

$ sudo kstash --random-key kstash: writing key to `/var/heimdal/m-key'

Note

	Note
Now is the time to make sure `/etc/kerberosV/krb.conf` is valid: [libdefaults] # Set the realm of this host here default_realm = INTRANET # Maximum allowed time difference between KDC and this host clockskew = 300 [realms] INTRANET = { # Specify KDC here kdc = intra1.intranet # Administration server, used for creating users etc. admin_server = intra1.intranet } # This sections describes how to figure out a realm given a DNS name [domain_realm] .intranet = INTRANET [kadmin] # For a k5 only realm, this will be fine default_keys = v5 [logging] # The KDC logs by default, but it's nice to have a kadmind log as well. kadmind = FILE:/var/heimdal/kadmind.log [kdc] addresses = 127.0.0.1 10.0.38.1 Otherwise, following commands will fail with: `krb5_init_context failed: 22`

Now is the time to make sure /etc/kerberosV/krb.conf is valid:

[libdefaults]
        # Set the realm of this host here
        default_realm = INTRANET

        # Maximum allowed time difference between KDC and this host
        clockskew = 300

[realms]
        INTRANET = {
                # Specify KDC here
                kdc = intra1.intranet

                # Administration server, used for creating users etc.
                admin_server = intra1.intranet
        }

# This sections describes how to figure out a realm given a DNS name
[domain_realm]
        .intranet = INTRANET

[kadmin]
        # For a k5 only realm, this will be fine
        default_keys = v5

[logging]
        # The KDC logs by default, but it's nice to have a kadmind log as well.
        kadmind = FILE:/var/heimdal/kadmind.log

[kdc]
addresses = 127.0.0.1 10.0.38.1

Otherwise, following commands will fail with: krb5_init_context failed: 22

We initialize the realm using kadmin, with the -l option to make it:
$ sudo kadmin -l Password: kadmin> command>init INTRANET Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin>
Add a principal:
kadmin> add tuya Max ticket life [1 day]: Max renewable life [1 week]: Principal expiration time [never]: Password expiration time [never]: Attributes []: tuya@INTRANET's Password: Verifying - tuya@INTRANET's Password: kadmin>exit

By now, in /var/heimdal, there should exist three files. m-key, the stored encryption key for the database, log, and heimdal-db, the database itself. If we start the KDC daemon, we should be able to fetch a ticket:

/usr/libexec/kdc & kinit tuya tuya@INTRANET's Password: $

Running the daemons
With the Kerberos database prepared and the KDC daemon runnable, we set up the system in such a way that it will run the daemons by default. In /etc/rc.conf.local, we add a stanza ...
```
#KerberosV/Heimdal
krb5_master_kdc=YES
	
```
... which will cause the daemons to be started from /etc/rc to start /usr/libexec/{kdc,kadmind,kpasswdd} with no parameters. Then we reboot: sudo reboot
Note

Before rebooting, you might want to run these programs by hand to see if they generate any output. They log to files in /var/heimdal by default.

After rebooting, ps axu should show the kdc, kadmind and kpasswdd running.

	Note
Before rebooting, you might want to run these programs by hand to see if they generate any output. They log to files in `/var/heimdal` by default.

Opening up the firewall

The pf firewall on the KDC needs a line:

pass in log on $intranet_if proto {tcp, udp} from $intranet to $intranet_if:0 port { kerberos }


Installing OpenLDAP on OpenBSD		redirecting ssh through PF