Kerberos on OpenBSD

Jurjen Bokma

January 2009

OpenBSD 4.4 comes with Heimdal installed. For this section, I used the docs for Heimdal version 1.2, augmented with the MIT Kerberos 5 docs and the info heimdal command within Open BSD.

I'm setting up a small home server here, so no elaborate failover measures, and DHCP server == nameserver == NTP server == KDC == Kerberos server.

Procedure 58.  Installing and configuring Kerberos/Heimdal on OpenBSD 4.4
  1. Before starting on Kerberos, make sure you have nameserving and NTP set up (see for that). It is a good idea to make the Kerberos server and clients use the same NTP server, or as I did here, have the Kerberos server be the NTP server.

  2. The KDC - Key Distribution Center - is the service that issues tickets to principals asking for one, and thus is the heart of Kerberos. We follow the Heimdal docs on creating a database and do the following:

    By now, in /var/heimdal, there should exist three files. m-key, the stored encryption key for the database, log, and heimdal-db, the database itself. If we start the KDC daemon, we should be able to fetch a ticket:

    /usr/libexec/kdc &
    kinit tuya
    tuya@INTRANET's Password:

  3. With the Kerberos database prepared and the KDC daemon runnable, we set up the system in such a way that it will run the daemons by default. In /etc/rc.conf.local, we add a stanza ...


    ... which will cause the daemons to be started from /etc/rc to start /usr/libexec/{kdc,kadmind,kpasswdd} with no parameters. Then we reboot: sudo reboot


    Before rebooting, you might want to run these programs by hand to see if they generate any output. They log to files in /var/heimdal by default.

    After rebooting, ps axu should show the kdc, kadmind and kpasswdd running.

  4. The pf firewall on the KDC needs a line:

    pass in log on $intranet_if proto {tcp, udp} from $intranet to $intranet_if:0 port { kerberos }