Kerberos

I had nothing important to do this weekend, so I played a bit with kerberos. Pretty fun, that, and the Debian packages make it all so easy.

First, when setting up Kerberos, you should note that there are two competing implementations: one is heimdal, the other is the MIT reference implementation. The former has some additional features (like storing principals in LDAP rather than plain files), but I found that krb5 was useful enough to me, so I didn't investigate further. Also, storing principals in LDAP isn't as useful as it sounds—kerberos is designed to make password replication unnecessary, so you want to store it on a machine with little or (preferably) no other jobs to do. You certainly do not want to store it in a server which will put it out to the world for all to see.

Anyway.

It's pretty well documented in info krb5-install (in the krb5-doc package); and the Debian packages let you do most of the setup through maintainer scripts and debconf questions, except for creating a new realm, which you do through a provided script.

... and this means that setting up kerberos on Debian is peanuts. Really.

You need (at least) one KDC, which you do by installing the krb5-kdc package. For exactly one KDC (which will be your master KDC) you also need the admin daemon; you can get that one by installing krb5-admin-server. Then on the hosts in your network, you want to install krb5-utils, and libpam-krb5.so for authentication. After configuring them (as explained in the krb5-install document), you have a live kerberos system. It takes you about five minutes to do the initial setup (once you understand how the system works), and about 10 seconds to add a host to the system.

Of course, doing kerberos setup is useless if all you want is to be able to log on to one system. But if you have more systems, you might want to use, e.g., the Kerberos support that is in OpenSSH, which you can do by adding the following two lines to both /etc/ssh/sshd_config and /etc/ssh/ssh_config (though obviously not on the same hosts:

KerberosAuthentication yes
GSSAPIAuthentication yes

... and with that, you'll have a kerberized setup.

Fun.