Skip to main content

Installing Kerberos on Red Hat

Installation of Kerberos on Red Hat Enterprise, CentOS, and Fedora is roughly the same. We recommend using Red Hat Enterprise 4.0 or later, since the Kerberos support in earlier versions is less mature. All Red Hat variations come with a complete set of Kerberos packages but require configuration to work with Stanford's Kerberos realm.

Clients and basic configuration

For a basic Kerberos install on a Red Hat system, install the krb5-workstation package. This will install the basic kinit, klist, kdestroy, and kpasswd clients as well as Kerberos versions of rlogin, rsh, and rcp. Depending on the version of Red Hat, the binaries may be in /usr/kerberos/bin instead of /usr/bin, so you may need to add /usr/kerberos/bin to your path.

You will need to install an /etc/krb5.conf file with the appropriate configuration for Stanford's Kerberos realm. You can download the sitewide version or just add the realm information for the stanford.edu realm by adding:

    stanford.edu = {
        kdc            = krb5auth1.stanford.edu:88
        kdc            = krb5auth2.stanford.edu:88
        kdc            = krb5auth3.stanford.edu:88
        master_kdc     = krb5auth1.stanford.edu:88
        admin_server   = krb5-admin.stanford.edu
        default_domain = stanford.edu
    }

to the [realms] section and:

    stanford.edu              = stanford.edu
    .stanford.edu             = stanford.edu

to the [domain_realm] section. The sitewide version contains some additional realm mappings that are sometimes useful.

If you are using AFS on this system, you will also want to install the openafs-krb5 package, which provides the aklog program. aklog will obtain AFS tokens from Kerberos tickets. If this package isn't available from your regular RPM sources, you can download it from the OpenAFS web site.

The SSH client that comes with Red Hat (at least RHEL4 and later) supports GSSAPI authentication but does not enable it by default. You may want to enable it globally on your system by adding a stanza like:

    Host *
        GSSAPIAuthentication yes

to /etc/ssh/ssh_config.

Remote logins

First, before enabling remote logins with Kerberos, you should make sure that all accounts on your system with logins enabled either match the SUNet IDs of those users or contain a .k5login file (which should be empty if Kerberos logins aren't permitted for that account). By default, the servers that accept Kerberos logins will allow a user to log in to an account if their Kerberos principal matches the account name. The presence of a .k5login file overrides this logic and only principals listed in that file will be permitted to log in to that account.

See UNIX Kerberos Commands in the user guide for more information on creating a .k5login file.

To authenticate connections to your system using Kerberos, the system needs its own Kerberos service principal and a keytab for that principal. The service principal is an account in Kerberos, similar to a SUNet ID but for a service instead of a person. The keytab is, in essence, the password for that account stored in a file on your system. For information on how to obtain a service principal, see Downloading Keytabs with Wallet.

The SSH server that comes with Red Hat includes GSSAPI support (although unfortunately only for user authentication, not for host authentication, so you still need a server key pair). That support is disabled by default. To enable it, add:

    GSSAPIAuthentication yes
    GSSAPICleanupCredentials yes

to /etc/ssh/sshd_config. You can ignore any Kerberos* options; those are for an older version of Kerberos support that's not recommended or particularly useful. After modifying this file, restart sshd with service sshd restart.

This only adds Kerberos support for users who have a Kerberos-aware SSH client. To allow users to log in with a username and password but check that password against Kerberos and use it to acquire Kerberos tickets, enable PAM support in sshd (UsePAM in /etc/ssh/sshd_config) and see the next section.

If you want to allow Kerberos rlogin, rsh, and rcp connections, you may need to add configuration files for those services to /etc/xinetd.d. For more information, see Kerberos and xinetd Configuration.

Local logins

Logins with a username and password, which includes console logins, login managers such as gdm or kdm, SSH with a username and password, and screen lock programs, use PAM to verify that password and to obtain user credentials such as Kerberos tickets. Therefore, enabling use of Kerberos passwords for local login means adding a Kerberos PAM module to your PAM configuration.

Red Hat provides a Kerberos PAM module in the pam_krb5 package. To set it up, install that package and read the man page for pam_krb5. Normally, the setup will involve adding pam_krb5 to the PAM configuration in /etc/pam.d/system-auth.

Be aware, however, that Red Hat's PAM module doesn't handle the case where local usernames are different than the user's SUNet IDs. (In other words, it doesn't support the search_k5login option supported by the PAM module shipped with Debian.) If this support is important to you, you may want to install pam-krb5 and use it instead (available to RHEL/CentOS servers on campus - see the Linux Service page). See its documentation for more details on how to configure it.

Last modified