Installing, Configuring, and Using Kerberos Kerberos is a distributed authentication service that was originally developed at the Massachusetts Institute of Technology MIT for use with
Trang 1C A U T I O N Before logging out of this client system and configuring another, open a new login session to this host using the telnet or ssh commands to ensure that you can correctly log in using LDAP If you encounter any problems,
do not log out of this system until you have resolved them.
Installing, Configuring, and Using Kerberos
Kerberos is a distributed authentication service that was originally developed
at the Massachusetts Institute of Technology (MIT) for use with MIT’s Athenaproject, a distributed computing environment Kerberos was popularized by itsuse at MIT and in the AFS distributed file system, developed at Carnegie-Mellon University, Transarc Corporation, and now available as a supportedIBM product and an open-source project The security provided by Kerberos is
so well-respected and robust that Kerberos has even been adopted by Microsoft
as an underlying authentication model for Windows 2000 and subsequent sions of Windows
ver-Kerberos is designed to provide secure authentication for client-server cations by using strong cryptography to enable clients to prove their identity toservers over the network In more advanced Kerberos installations, clients andservers that have used Kerberos to prove their identity to each other can option-ally encrypt all subsequent communications to ensure privacy This requires thatall applications that exchange data over the network be either special Kerberos-aware versions or that they link with Kerberos-aware libraries
appli-In its simplest form, Kerberos works by exchanging encrypted security mation between clients, which can be users or machines, the Kerberos Authenti-cation Server, and the resource you are trying to access The information that is
infor-initially exchanged when attempting to prove one’s identity is known as a ticket.
The information used to encrypt tickets and subsequent communications is
known as a key After the identity of a client is verified, that client is granted a
Kerberos token that can be used to verify the client’s identity to any aware service For security reasons, Kerberos tokens are timestamped so thatthey automatically expire unless renewed by a user or service
Kerberos-The timestamps contained within Kerberos tokens (and tickets) can be fied only if the time and data are synchronized across Kerberos clients andservers Kerberos authentication will fail if client and server clocks becomeskewed by more than 5 minutes This is the suggested default value, whichyou can change in your Kerberos configuration files We strongly suggest thatyou run Network Time Protocol (NTP) daemons on all Kerberos clients andservers to ensure that their clocks remain in sync It is also a good idea to set
veri-up replicated time servers for any site using Kerberos so that your site can stillsynchronize client clocks if you encounter problems connecting to the Internet
Trang 2Kerberos is often referred to as a trusted third-party authentication servicebecause each participant in the Kerberos authentication process believes inKerberos’s assessment of the identity of the other parties in that process Ker-beros verifies each participant’s assessment using private keys that each par-ticipant generates during each stage of the authentication process Kerberos isvery robust and secure because all stages of the authentication process exchangeencrypted information At no point are passwords transmitted over the net-work without first being encrypted.
Kerberos Terminology, Machine Roles, and Reliability
As a sitewide authentication mechanism, Kerberos introduces some new termsthat you must understand in order to use Kerberos effectively The most basic
of these is the idea of a realm, which is essentially a set of machines that uses a
Kerberos server for authentication and that, therefore, trusts that server InKerberos configuration files, your realm is typically identified in uppercasecharacters to differentiate it from any, usually similar, DNS domain with which
it is associated
Reliability is a critical aspect of a sitewide authentication mechanism beros environments are protected against the failure of key systems and ser-vices by replicating those systems on slave systems The most critical of these
Ker-is the Key DKer-istribution Center (KDC) system, the primary system for grantingtickets and the system that houses the master copy of the Kerberos database.KDC slaves contain copies of the Kerberos database but cannot performadministrative functions; they only tickets grant in the event that the primarysystem is unavailable
T I P As a general rule, all KDC systems should be installed so that they can serve as either a master or a slave In the event of a hardware problem with your primary KDC systems, this simplifies converting an existing slave to a new master KDC.
Kerberos Packages for Linux
The packages that provide Kerberos and Kerberos-related libraries, serverprocesses, utilities, and header files on RHEL and Fedora Core systems are:
■■ krb5-workstation— Contains basic Kerberos programs (kinit,klist, kdestroy, kpasswd) as well as Kerberized versions of thetelnetand ftp applications This package should be installed onevery client of a Kerberos server
■■ krb5-server— Provides the programs that must be installed on aKerberos 5 server or server replica
Implementing Network Security 865
Trang 3■■ krb5-libs— Contains the stared libraries required for Kerberosclients and servers.
■■ krbafs-utils— Provides versions of core utilities for the AFS tributed file system that are linked against the krbafs library
dis-■■ krbafs-devel— Includes header files and static libraries for oping and compiling applications that use the krbafs library
devel-■■ krbafs— Provides the krbafs shared library that enables programs toobtain tokens for the AFS distributed file system using Kerberos 4 cre-dentials without needing access to the official AFS libraries
■■ krb5-auth-dialog— Contains a pop-up dialog that warns userswhen their Kerberos tickets are about to expire and enables them torenew them
■■ krb5-devel— Includes header files and libraries necessary for oping and compiling Kerberos 5 applications
devel-■■ pam_krb5— Provides a PAM (Pluggable Authentication Module) thatenables Kerberos authentication This package also includes a PAM(pam_krb5afs) that can get tokens for the AFS distributed file system
N OT E The Kerberos packages supplied with Red Hat Linux are not the only Kerberos implementation available Other freely available versions of Kerberos include the Heimdal project (www.pdc.kth.se/heimdal), the Shishi project (http://josefsson.org/shishi), and the original implementation from the Kerberos mothership at MIT (http://web.mit.edu/kerberos/www).
Core Kerberos Utilities
This section highlights the most common utilities associated with Kerberosauthentication For additional information about any of these processes orfiles, consult the online reference information for them by using the man com-mand All of these utilities are located in the /usr/kerberos/bin directory
on a Fedora Core or RHEL system:
■■ kdestroy— Deletes and tokens owned by the current user
■■ kinit— Enables you to obtain tokens manually for a specified user
■■ klist— Lists the tokens of the current, or a specified, user
■■ kdestroy— Deletes tokens owned by the current user
The /usr/kerberos/bin directory also contains Kerberized versions ofcommon applications such as ftp, rcp, rsh, telnet, and so on On systemsthat use Kerberos, you should put the /usr/bin/kerberos directory in the
Trang 4default PATH for users before standard system directories such as /usr/binand /bin.
Installing and Configuring a Kerberos Server
After installing the krb5-libs, krb5-server, and krb5-workstationpackages on the system that you are going to use as your primary Key Distribu-tion Center, the first step in configuring your Kerberos environment is to set upyour master Key Distribution Center The process for doing this is the following:
1 Edit the general Kerberos configuration file for your environment,/etc/krb5.conf This file identifies the KDCs and admin servers
in your Kerberos realm and provides default values for your realm,Kerberos applications, and for how your existing hostnames map intoyour Kerberos realm A sample /etc/krb5.conf file for the realmVONHAGEN.ORGis the following:
[logging]
default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults]
default_realm = VONHAGEN.ORG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h forwardable = yes [realms]
VONHAGEN.ORG = { kdc = kerberos.vonhagen.org:88 admin_server = kerberos.vonhagen.org:749 default_domain = vonhagen.org
} [domain_realm]
.vonhagen.org = VONHAGEN.ORG vonhagen.org = VONHAGEN.ORG [kdc]
profile = /var/kerberos/krb5kdc/kdc.conf [appdefaults]
pam = { debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false }
Implementing Network Security 867
Trang 5The defaults provided in the /etc/krb5.conf file installed by thekrb5-serverpackage are reasonable, except that you must change allinstances of EXAMPLE.COM to the name of your realm and all instances
of example.com to the name of your domain (VONHAGEN.ORG andvonhagen.org, respectively, in the previous example) You must alsomake sure that DNS or /etc/hosts entries exist on all clients for thesystems that you identify as your default KDC and admin_serversystems in the [realms] section
2 Edit the Key Distribution Center configuration file, /var/kerberos/krb5kdc/kdc.conf The location of this file is provided in the [kdc]section of the /etc/krb5.conf file As with the /etc/krb5.conffile, the primary change that you must make to this file is to change the instance of EXAMPLE.COM to the name of your realm, which is VONHAGEN.ORGin the following example:
[kdcdefaults]
acl_file = /var/kerberos/krb5kdc/kadm5.acl dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab v4_mode = nopreauth
[realms]
VONHAGEN.ORG = { master_key_type = des-cbc-crc supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal \ des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal \ des-cbc-crc:v4 des-cbc-crc:afs3
}
3 Use the kdb5_util command on the Master KDC to create the
Ker-beros database and your stash file You will have to enter the masterdatabase password twice, for verification purposes The stash file is alocal, encrypted copy of the master key that is used to automaticallyauthenticate the KDC as part of your system’s startup sequence
# /usr/kerberos/sbin/kdb5_util create -r VONHAGEN.ORG -s
Loading random data Initializing database ‘/var/kerberos/krb5kdc/principal’ for realm
‘vonhagen.org’, master key name ‘K/M@vonhagen.org’
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
This command creates various files in the directory specified in thekdcdefaultssection of your kdc.conf file: two Kerberos data-base files (principal.db and principal.ok), the Kerberos
Trang 6administrative database file (principal.kadm5), the database lockfile (principal.kadm5.lock), and the stash file (.k5stash).
4 Edit the ACL definition file, /var/kerberos/krb5kdc/kadm5.acl,changing the default realm (EXAMPLE.COM) to the name of the realmthat you are creating (VONHAGEN.ORG, in this example) The defaultentry in this file, which begins with */admin, gives any user with anadmin instance (such as wvh/admin, which you create in the next step)complete access to and control over the realm’s Kerberos database
After updating this file for our example realm, this file looks like thefollowing:
*/admin@VONHAGEN.ORG *
T I P Kerberos administrative permissions are very granular and enable you to grant different levels of administrative privileges to certain users and system administrators See the Kerberos documentation in /usr/share/doc/krb5-
server-versionfor more detailed information about expressing different levels of Kerberos permissions in this file If you subsequently want to refine the permissions with a user who has an associated /admin instance, you should create an entry for that user in the /var/kerberos/krb5kdc
/kadm5.aclfile before the default * permissions entry for /admin users.
5 Use the kadmin.local command to add each of your system
adminis-trators to the Kerberos database The kadmin.local command is aKerberos-aware version of the standard kadmin utility that does notfirst authenticate to a Kerberos database and is, therefore, used for boot-strapping Kerberos on a KDC Entries in the Kerberos database areknown as principals The following example adds an admin instancefor the user ‘wvh’:
# /usr/kerberos/sbin/kadmin.local
kadmin.local: addprinc wvh/admin WARNING: no policy specified for wvh/admin@VONHAGEN.ORG; defaulting
to no policy Enter password for principal “wvh/admin@VONHAGEN.ORG”:
Re-enter password for principal “wvh/admin@VONHAGEN.ORG”:
Principal “wvh/admin@VONHAGEN.ORG” created.
6 Add a standard user entry for the nonadmin version of the principalthat you just created and then exit the kadmin.local utility, as in the following example Adding a standard principal enables defaultauthentication by the associated entity You will eventually need to cre-ate a principal for each user that you want to be able to authenticateusing Kerberos Most sites do this by writing a script that also createdKerberos principals when creating standard user accounts
Implementing Network Security 869
Trang 7kadmin.local: addprinc wvh
WARNING: no policy specified for wvh@VONHAGEN.ORG; defaulting to no policy
Enter password for principal “wvh@VONHAGEN.ORG”:
Re-enter password for principal “wvh@VONHAGEN.ORG”:
Principal “wvh@VONHAGEN.ORG” created.
At this point, you’re ready to install and start a Kerberos client, as explained
in the next section Before doing anything else, you should verify that yourserver can hand out tickets by using the kinit command to explicitly requestone for the administrative principal that you created earlier You can then usethe klist command to verify its contents, and then destroy the ticket (just toclean up) using the kdestroy command The following example shows thissequence:
$ kinit wvh
Password for wvh@VONHAGEN.ORG:
$ klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: wvh@VONHAGEN.ORG Valid starting Expires Service principal 05/03/05 22:09:04 05/04/05 22:09:04 krbtgt/VONHAGEN.ORG/VONHAGEN.ORG Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
$ kdestroy
Enabling Kerberos Clients and Applications
Setting up a system as a Kerberos client is simple:
1 Copy the /etc/krb5.conf file from your KDC to the client
2 Enable a sample application Use krb-telnet, a Kerberos-aware sion of the classic telnet application, as a test application The krb-telnetserver is managed by your system’s inet daemon To enablekrb-telnet, modify the file /etc/xinetd.d/krb-telnet chang-ing the disable entry from yes to no, as in the following example:
ver-# default: off
# description: The Kerberized telnet server accepts normal telnet
Trang 8# sessions, but can also use Kerberos 5 authentication.
service telnet {
Flags = REUSE socket_type = stream wait = no user = root server = /usr/kerberos/sbin/telnetd log_on_failure += USERID
disable = no }
3 Restart your system’s inet daemon using the following command:
# /etc/init.d/xinetd.d restart
4 Telnet to your system and make sure that you can log in successfully
After you log in, you can use the klist command to verify that you’veautomatically been granted the appropriate Kerberos tokens, as in thefollowing example:
$ klist
Ticket cache: FILE:/tmp/krb5cc_p4979 Default principal: wvh@VONHAGEN.ORG Valid starting Expires Service principal 05/07/05 10:00:46 05/08/05 10:00:46
krbtgt/VONHAGEN.ORG@VONHAGEN.ORG Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
Congratulations, Kerberos is working! The next step in taking full tage of Kerberos is to integrate it into your system’s login authenticationprocess, as described in the next section
advan-T I P As mentioned earlier in this section, make sure that the time and date are synchronized between your KDCs and any Kerberos client systems before proceeding with this section By default, a difference of more than five minutes will cause Kerberos authentication to fail.
Using Kerberos for Login Authentication
If you are going to be using Kerberos for login authentication, testing Kerberosclients such as krb-telnet, as described in the previous section, is a greatway to make sure that your Kerberos server is working and that your clientscan communicate with it successfully When you’re sure that everything’sworking correctly, integrating Kerberos with the PAMs used for your system’slogin process is a logical next step
Implementing Network Security 871
Trang 9The authconfig applications provided by the RHEL and Fedora tions simplifies integrating new authentication mechanisms by making all
distribu-of the necessary modifications to the /etc/pam.d/system-auth PAM trol file for you To enable Kerberos authentication across your system, do thefollowing:
con-1 Run the /usr/bin/authconfig command and Use Kerberos in theAuthentication section of the Authentication Configuration screen Figure 34-7 shows this screen with the correct option selected
2 Select Next and press Enter to proceed to the next screen and enter thename of your realm and the IP addresses or hostnames of your KDCand admin server (which are the same in the examples used in thischapter)
Figure 34-8 shows this screen with the options appropriate to thisexample selected Select OK and press Enter to exit the authconfigapplication
N OT E Using DNS to locate hosts and associated Kerberos realms requires adding special entries to your DNS server configuration files For more information about this process, see the documentation in /usr/share/doc
/krb5-server-versionfor more information.
3 After exiting from authconfig, log out and log back in After you log
in, use the klist command to verify that you have Kerberos tokens,
which will display information identical to that shown at the end of theprevious section
Figure 34-7 Selecting Kerberos authentication in authconfig.
Trang 10Figure 34-8 Kerberos environment settings in authconfig.
After using authconfig, your /etc/pam.d/system-auth file willlook like the following:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
100 quiet account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_krb5.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so
T I P If you have any problems with Kerberos login authentication, enable PAM debugging in your /etc/krb5.conf file so that you can quickly identify and resolve authentication-related problems with login and other system applications that use PAMs To do this, simply set the debug entry in the PAM section of the [appdefaults] stanza to true and restart your Kerberos server.
Implementing Network Security 873
Trang 11In an Internet environment that is increasingly hostile, system administratorsmust take steps to ensure the security of the systems and LANs they adminis-ter One step is to use Linux’s Netfilter packet filtering technology to create afirewall that carefully controls the ingress of Internet traffic into the LAN Asecond step is to create a centralized LDAP data store that all systems use foraccess control and authentication A third step is to use authentication tech-nology, such as Kerberos, that provides enhanced security via the exchange ofencrypted keys, which does not directly transmit authentication data over theInternet and which can also provide encryption support for other types of net-work communication
Trang 12■■ Solving Common Problems
■■ Solving File System Problems
■■ Solving Networking Problems
■■ Solving NFS Problems
■■ Exploring Miscellaneous Problems
■■ Making an Emergency Boot Disk
Even the best-laid plans rarely survive contact with reality, and Red Hat prise Linux is no exception This chapter describes various problems that canoccur with various subsystems and features of Fedora Core and Red HatEnterprise Linux and suggests possible solutions Obviously, we cannot cover
Enter-everything that might go awry, but we’ll cover the problems we had and how
we solved them If our crystal ball is working, we may even be able to foreseeand help prevent a few problems
Despite the work and testing that go into preparing each release, pated problems inevitably emerge Most of these problems result from one ofthree situations:
unantici-■■ Testing Fedora Core and Red Hat Enterprise Linux for compatibilitywith every piece of hardware is simply not possible
■■ Given the range of hardware available, any given combination of twocomponents, for example, a SCSI disk controller and a SCSI disk, mayresult in subtle but maddening incompatibilities
C H A P T E R
35
Trang 13■■ As a result of the rapid rate of hardware revisions, drivers written forearlier revisions of your hardware might not support the latest hard-ware version.
This chapter is intended to help you troubleshoot and solve the most mon configuration challenges you might encounter when installing and usingFedora Core and Red Hat Enterprise Linux In particular, the first section of thischapter gives you some general troubleshooting techniques that you can use tosolve many problems you may encounter, not just the ones in this chapter.Other sections in this chapter help you resolve problems related to installation,the file system, networking, and booting the system A final section addresses afew common problems that do not fit into other categories
com-Troubleshooting Techniques
Trying to fix a system can seem like a daunting task, especially for a new user orsomeone without a lot of troubleshooting experience But, following an estab-lished set of troubleshooting steps can go a long way toward making the searchfor the solution to the problem a lot easier This section will show you some stepsyou can follow in a specific order to find and then try to solve the problem
Step 1: Identify the Problem
This step may seem obvious to you, but is it really? Suppose that you get a callfrom a user who reports being unable to check email This is the problem, right?Not being able to check email may not be the real problem, but a symptom, theunderlying problem may not be so obvious What is the problem? Is it the phys-ical network connection, or the DNS server, the default gateway, or perhaps theemail client is improperly configured As you can see, there may be many rea-sons for not being able to check email and it is important to find and solve theactual problem, not the symptom of the problem Knowing the symptom isimportant because it can lead to the actual problem, which you can then solve.You need to ask yourself, or whoever reported the problem to you, somedetailed questions to try to get to the root of the problem For example, youmight ask if it is possible to access Web sites on the Internet If the answer is yes,you can rule out problems with the physical network connection You can alsorule out problems with the DNS servers and the default gateway as well By ask-ing just one question you are able to rule out several possible problem areas
Step 2: Reproduce the Problem
If you discover a problem with your systems, you should always try to duce the problem If a user on your network reports a problem, you should try
Trang 14repro-to get him or her repro-to reproduce the problem Many times a user will immediatelycall to report being unable to do some task without even knowing what exactlythey were doing when the problem occurred Ask users to try the task againand to write down exactly what they were doing when the problem happened.Ask them if they received any error messages and, if so, what the messagesaid By doing this you will have more information that you can use to helpyou figure out the problem and its cause If possible, try to watch users whilethey are performing the task to determine if they are doing it correctly.
Step 3: Look for Changes
In many cases systems work perfectly for months and suddenly they stopworking A service that worked countless times in the past is not working now.Why not? You need to determine what has changed between the time all waswell and the problem was reported You can ask some questions that may leadyou to a solution Some questions you may ask are:
■■ Could you ever perform the task? This might sound like a silly tion, but often users will try to do something the system wasn’t set up
ques-to do Perhaps they can do the task at home and decided ques-to try it atwork You may need to explain to the users that they may not be able to
do the task and it isn’t a problem with their system
■■ If a service was available, when did it become unavailable? Knowingthe answer to this question may lead you to a change that occurredimmediately before the problem happened The cause of the problemmay be directly related to the change This question also leads into thenext question
■■ What changed since the service was available? Did the user install anysoftware on the system? Did you install any software on the system?
Many times the change that occurred is responsible for the problem
■■ Are other users affected by the problem? If the problem is affectingonly one user, you can usually isolate the problem to that user’s system.These are just a few of the questions you may ask yourself or your users.There are many other probing questions you can ask at this step and also othersteps of the troubleshooting process The more information you have, the eas-ier your troubleshooting will be
Step 4: Determine the Most Likely Cause
By now you have gone through three steps in your troubleshooting and should
be able to narrow down the problem Next, you need to decide the possiblecause of the problem
Troubleshooting and Problem Solving 877
Trang 15If we continue the earlier example, the user reporting being unable to checkemail, our questioning so far has eliminated many possible causes We knowthat the physical network connections are good and our DNS and router con-figurations are good as well If the problem is affecting only one user, we canmake a good guess that the problem is related to that specific user’s system.Obviously something changed in the configuration of that user’s system and
we can continue our problem solving there by examining that particular tem, specifically the email configuration settings
sys-Step 5: Implement a Solution
After you have determined the most likely cause of the problem, you need topropose and implement a solution Continuing with the example of beingunable to send email, you have determined the problem is the individual user’ssystem You need to check the user’s system configuration and make the nec-essary changes to restore the service After you put your solution in place, youneed to test the system to be sure the solution solved the problem Next, youshould be sure that implementing your solution has not caused any additionalproblems Sometimes solving one problem can cause other problems, and youneed to be sure this is not the case with your solution
Step 6: Keep Documentation
Any time you have a problem, whether you discovered it yourself or it wasreported to you by a user, you should always document it You should fullydescribe the problem, the steps you took to investigate it, and the solution youimplemented By keeping good documentation about system problems, youcan considerably shorten future incidents of troubleshooting similar problems